<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
Please consider this at the next netsec meeting. If the subcommittee
thinks this change is justified and is deemed non-controversial, it
may consider adding it in an upcoming ballot.<br>
<br>
Dimitris.<br>
<div class="moz-forward-container"><br>
<br>
-------- Forwarded Message --------
<table class="moz-email-headers-table" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Subject:
</th>
<td>[cabforum/documents] NetSec: suggested CVSS updates
(#156)</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Date: </th>
<td>Wed, 22 Jan 2020 20:10:32 -0800</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">From: </th>
<td>Josh Aas <a class="moz-txt-link-rfc2396E" href="mailto:notifications@github.com"><notifications@github.com></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Reply-To:
</th>
<td>cabforum/documents
<a class="moz-txt-link-rfc2396E" href="mailto:reply+ACAMQERW63ZULTTODINBF4N4GZHTREVBNHHCCBB4HA@reply.github.com"><reply+ACAMQERW63ZULTTODINBF4N4GZHTREVBNHHCCBB4HA@reply.github.com></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">To: </th>
<td>cabforum/documents <a class="moz-txt-link-rfc2396E" href="mailto:documents@noreply.github.com"><documents@noreply.github.com></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">CC: </th>
<td>Subscribed <a class="moz-txt-link-rfc2396E" href="mailto:subscribed@noreply.github.com"><subscribed@noreply.github.com></a></td>
</tr>
</tbody>
</table>
<br>
<br>
<p>Passing this report/suggestion along from a community member.</p>
<p>Relating to the definition of "Critical Vulnerability":</p>
<ol>
<li>This link seems outdated:</li>
</ol>
<p><a href="http://nvd.nist.gov/home.cfm" rel="nofollow"
moz-do-not-send="true">http://nvd.nist.gov/home.cfm</a></p>
<p>Perhaps a better link would be:</p>
<p><a href="https://nvd.nist.gov/vuln-metrics/cvss" rel="nofollow"
moz-do-not-send="true">https://nvd.nist.gov/vuln-metrics/cvss</a></p>
<p>This also has the advantage of being an https link.</p>
<ol start="2">
<li>CVSS v3.0 defines critical as 9.0 or above. The NetSec
guidelines currently say CVSS 7.0 or higher is critical.
Should the NetSec guidelines be changed to define critical as
9.0, in line with the CVSS ratings, or is NetSec intentionally
lowering the bar for what's considered critical to 7.0?</li>
</ol>
<p
style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br>
You are receiving this because you are subscribed to this
thread.<br>
Reply to this email directly, <a
href="https://github.com/cabforum/documents/issues/156?email_source=notifications&email_token=ACAMQEQX2CTHV2N5EQBWAGDQ7EKDRA5CNFSM4KKQNHZKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IIEHQ4A"
moz-do-not-send="true">view it on GitHub</a>, or <a
href="https://github.com/notifications/unsubscribe-auth/ACAMQEQKD45WD5IRLJEATV3Q7EKDRANCNFSM4KKQNHZA"
moz-do-not-send="true">unsubscribe</a>.<img
src="https://github.com/notifications/beacon/ACAMQESINYJ3WWZSSV2VX5LQ7EKDRA5CNFSM4KKQNHZKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IIEHQ4A.gif"
alt="" moz-do-not-send="true" width="1" height="1"></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/cabforum/documents/issues/156?email_source=notifications\u0026email_token=ACAMQEQX2CTHV2N5EQBWAGDQ7EKDRA5CNFSM4KKQNHZKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IIEHQ4A",
"url": "https://github.com/cabforum/documents/issues/156?email_source=notifications\u0026email_token=ACAMQEQX2CTHV2N5EQBWAGDQ7EKDRA5CNFSM4KKQNHZKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IIEHQ4A",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>
</div>
</body>
</html>