On 10/04/07 09:45, Bill Anderson wrote: > We would like to use CVSSv2 scores in our results reporting. I was > wondering if anyone is working on doing CVSS scoring on plugins that > are currently without CVSS scores?
In addition to what Ron said, I'd like to add that Tenable has been syncing CVSS scores with those in NIST's National Vulnerability Database (NVD) and working closely with analysts there to correct scoring mistakes and update older entries that are marked as "approximated" (meaning they were scored by computer rather than a human and are not necessarily reliable). As scores for older issues become available, the corresponding plugins should be updated as part of our daily processes. > Is there any kind of schedule or estimate on when that will be done? For our part, we work on it as time permits; we don't have a timeframe for completion. As for NIST efforts to manually score those entries that are currently marked as "approximated", you should contact them -- [EMAIL PROTECTED] > Would it be useful to partner on creating scores for the plugins that > do not currently have them? Our strategy has been to track scores in the NVD to the extent that's possible rather than maintain our own scores independent of those in the NVD. > Also, there are a large number of plugins that do not have CVEs > associated with them. Has anyone done any research as to whether > this is due plugin writers not providing them, or do these plugins > truly not have CVEs to be associated with? Is anyone working on > improving this? We have daily jobs that analyze the Bugtraq, CVE, and OSVDB vulnerability databases in an attempt to identify missing cross-references for plugins. While it's not perfect, I suspect that many of those plugins that lack CVEs really don't have any associated with them. Still, if you're aware of any mistakes / omissions, feel free to let me know. I'd also be interested in hearing of alternative approaches. George -- [EMAIL PROTECTED] _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
