On 6/18/19 3:45 PM, Trevor Vaughan wrote:
At some point, these should probably be changed to correlate with the Vulnerability Severity Assessment Scale as outlined in the NIST 800-30 since it is well defined, a public standard at no cost, and 0-100 which lines up with most people's internal "gut feeling".
Sounds reasonable. Looks like "TABLE D-6: ASSESSMENT SCALE – RANGE OF EFFECTS FOR NON-ADVERSARIAL THREAT SOURCES" seems most applicable . Is that what you were thinking?
Worried the broader 800-30 requires advanced multidimensional calculus.... yes, could result in better ratings than the DISA scale, but if its to hard to use... nobody will use it.
 Page 68 @ https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
_______________________________________________ Open-scap-list mailing list Openemail@example.com https://www.redhat.com/mailman/listinfo/open-scap-list