Dark Mode

Jump to content

Talk:Common Vulnerability Scoring System

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
This article is rated C-class on Wikipedia's content assessment scale.
It is of interest to the following WikiProjects:
Computer security: Computing High-importance
This article is within the scope of WikiProject Computer security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer securityWikipedia:WikiProject Computer securityTemplate:WikiProject Computer securityComputer security
HighThis article has been rated as High-importance on the project's importance scale.
This article is supported by WikiProject Computing (assessed as High-importance).
Things you can help WikiProject Computer security with:
Article alerts are available, updated by AAlertBot. More information...
  • Review importance and quality of existing articles
  • Identify categories related to Computer Security
  • Tag related articles
  • Identify articles for creation (see also: Article requests)
  • Identify articles for improvement
  • Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc.
  • Find editors who have shown interest in this subject and ask them to take a look here.
Computing High-importance
This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing
HighThis article has been rated as High-importance on the project's importance scale.

Permission for use granted by the CVSS SIG Chair Gavin Reid gavreid at cisco dot com and sent to permissions at wikimedia dot org

Rewrite for CV

[edit]

I did a rewrite on the temp page. I removed a lot of details (it was long anyways), it still has a list of the metrics (rewritten) but whether the list would be copyrightable is gray. I added some commentary and retained the external links. RJFJR 22:27, 24 November 2006 (UTC)[reply]

[edit]

I suggest the following article for reference:

The Common Vulnerability Scoring System - Magic Numbers or Snake Oil?

http://www.heise-security.co.uk/articles/89049

Note that I am a Heise editor and therfor will not add this myself because it is against our policy to spam. Please inform me, if you think that this kind of proposal violates the wikipedia policy.

193.99.145.162 08:16, 12 June 2007 (UTC) / ju (ju at heisec.de)[reply]

The deadlink above is now at http://www.h-online.com/security/features/The-Common-Vulnerability-Scoring-System-Magic-Numbers-or-Snake-Oil-747205.html Widefox; talk 07:34, 6 February 2013 (UTC)[reply]


Rewrite needed for Adoption section

[edit]

It talks about v2, while now v3 is widely used. Some of the sites in the list is even down. I don't have the knowledge to edit it. 37.26.148.212 (talk)

Do CVSS scores get peer reviewed?

[edit]

For what I could read around in the web, the team that discovers a vulnerability, goes through the CVSS and set a score accordingly, but the issue - unless egregious - is not really peer reviewed. There are even CVEs that are disputed but the score doesn't change.

Is there a peer review or, due to the volume of CVEs, the original team decides and thus the score is not really "tested" ? (again, beside egregious problems).

Picking CVEs at random (all over 7 out of 10 in score) I couldn't find any peer review discussion about the score and the CVE in itself. Pier4r (talk) 09:45, 25 April 2024 (UTC)[reply]

Basically, the CNA (CVE Numbering Authority) or the Vendor itself gives a score.
There is also the NVD (national vulnerability database), where independent government contractors evaluate the issue.
[1]
Since the vendors may want to reduce the score to downplay the issue and the researches may want to increase the score to exaggerate their finding, the NVD is considered a more neutral stance, but yeah, there's no clearly defined peer review, let alone an obligatory one. Dinis12481 (talk) 14:40, 18 February 2026 (UTC)[reply]