j---
j---
Thanks for all the good work automating things here. It looks like an important project. Asset significance and vulnerability severity may not be the right concepts for the prioritization decision...
Thanks for this work. I find the project is clear about its goals, and is clear about its operations and documentation for how to run the script. However, it's not...
Be clear about how Industrial Control System and Operations Technology stakeholders are handled. In many cases they may use the usual SSVC v1 decision points, but with a different risk...
While resolving #311 in code, #439 focused (appropriately narrowly) on the decision point definitions in the python. ADH noted there that > Also, I am avoiding updating any additional documentation,...
Service area 3 is about vulnerability triage for PSIRTs https://www.first.org/standards/frameworks/psirts/psirt_services_framework_v1.1 Service area 7.2.2 is about CSIRT vulnerability triage https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1#7-2-Service-Vulnerability-report-intake SSVC may be in a position to be providing additional detail...
This is the calculator engineering aspects of #186 The document describes some equivalences or ways that CVSS vector string data can be used to inform SSVC decisions. CVSSv3.1 is not...
Let's start with CPE ID maybe, and see how that goes? Also, there are other reasons value density might be concentrated (the discussion of bug bounty price vis-a-vis Zerodium, for...
The CNA rules allow for a fair amount of flexibility for what an individual stakeholder decides about assigning CVE IDs. There are some basic rules here: https://cve.mitre.org/cve/cna/CNA_Rules_v3.0.pdf, section 7. Within...