On 6/7/19 5:02 AM, harshad wadkar wrote:
Respected Madam / Sir,
I am referring the following url to know about open-scap and Ubuntu
I have one query :
1. At present, the severities are labelled as unknown, low, medium and
a) Is there any mechanism or logic, which will quantify these
e.g. low : 0 to < 3, medium : 3 to < 6 and high : 6 to 9 (as given
in OWASP -
Owasp risk rating methodology. https://www.owasp.org/index.php/OWASP_
b) If yes, requesting you share the information / document / url
Your guidance is vital to me - waiting for the reply.
They correlate to the DISA Vulnerability Severity Category Code Definitions:
CAT I (HIGH):
Any vulnerability, the exploitation of which will directly and
immediately result in loss of Confidentiality, Availability, or
CAT II (MEDIUM):
Any vulnerability, the exploitation of which has a potential to result
in loss of Confidentiality, Availability, or Integrity.
CAT III (LOW):
Any vulnerability, the existence of which degrades measures to protect
against loss of Confidentiality, Availability, or Integrity.
Historically used the DISA ratings because much of the original
community was from Government work (United States, then international)
and the language was fairly standardized.
Open-scap-list mailing list