, The Register 2005-02-23
Leading IT suppliers are banding together to develop a system designed to standardise the rating of security vulnerabilities. The scheme, called the Common Vulnerability Scoring System (CVSS), announced at last week's RSA Conference in San Francisco, is designed to replace vendor-specific ratings with a system that will make it easier for users to prioritise security remediation work.CVSS is backed by firms including Cisco Systems, Microsoft, Qualys and Symantec and is part of a project by the US National Infrastructure Advisory Council, a division of the US Department of Homeland Security, to create a framework for disclosing security vulnerabilities. The severity and urgency of software bugs is gauged by CVSS against a standard set of metrics. "It's a new way to talk about vulnerability severity," Mike Schiffman, a researcher at Cisco Systems, told New Scientist.
CVSS scores a vulnerability according to seven factors including whether a flaw allows an attacker access to confidential information, permits a cracker to modify data or allows an assailant to carry out a denial of service attack. Whether or not a vulnerability is remotely exploitable or requires access to passwords to carry out is also taken into account. The time since a vulnerability was discovered is also measured in an assessment of its severity.
Qualys plans to release CVSS scores in data it supplies for the SANS (SysAdmin, Audit, Network, Security) Institute's free newsletters from later this year, New Scientist reports. Other vendors are yet to outline plans for how they will use CVSS, which is still in development. ®