[email protected] don't have specific guidance on this because projects can choose to rate vulnerabilities using whatever system works for them. However your comments are correct (for example Red Hat now only rates CVSSv3 and has stopped CVSSv2 on new flaws since this week), so it would be worth considering that transition.
Mark On Wed, Jan 4, 2017 at 12:59 PM, Daniel Shahaf <[email protected]> wrote: > We currently publish CVSSv2 scores for scoring security advisories. > > Since we started using CVSSv2, a revised standard, CVSSv3, has been > released. > > Should we migrate to CVSSv3? I.e., start computing CVSSv3 scores for > security advisories? > > --- > > Andreas reports distros downstream are migrating to CVSSv3 and would > rather upstreams did, too. > > I don't have an opinion on this; I'm not familiar with the new standard. > > Cheers, > > Daniel > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] >
