On Tue, Oct 11, 2016 at 08:04:33PM -0000, [email protected] wrote: > 1. If NVD ratings are meaningless to Debian's security team, how does the > security team prioritize which vulnerability should be fixed first before > others?
We look at the vulnerabilities and make an assessment. > 2. According to https://www.debian.org/security/, it states: > > "Debian also participates in security standardization efforts: the Debian > Security Advisories are CVE-Compatible (review the cross references) and > Debian is represented in the Board of the Open Vulnerability Assessment > Language project." > > If Debian Security Advisories are CVE-compatible, it means that the former > accept the NVD ratings included in CVEs, yes? We use CVE IDs for mapping vulnerabilities. NVD ratings have about the same influence to our work as moon phases. Cheers, Moritz
