blog.Resource

Archive:

News-Feeds:


RSS 2.0
RSS 0.91
RDF
ATOM 0.3
April 8, 2010

Use of Common Vulnerability Scoring System in TYPO3 Security Advisories

Category: Security

By: Marcus Krause

The TYPO3 Security Team intends to use CVSS for TYPO3 Core Security Bulletins in future. Learn what CVSS is all about and how you benefit from it!

With today, the TYPO3 Security Teams has published a CVSS rating in a pre-announcement.

We have learned that our current severity ratings (low, medium, high, critical) in security bulletins are not that useful. That's why we searched for a solution to provide detailed information on a bulletin.

CVSS is an open framework for communicating the characteristics and impacts of vulnerabilities in Information Technology. It allows vulnerability bulletin analysts to understand and proper communicate disclosed vulnerabilities. In addition, it allows customers to prioritize risks.

Several vendors are already using CVSS. This enables you to compare vulnerabilities of applications from different scopes.

An extensive guide on CVSS is available online and in form of a PDF. We hereby encourage TYPO3 users, agencies and webhosting companies to get familiar with CVSS.

The CVSS v2.0 data of the upcoming security bulletin TYPO3-SA-2010-008 is following:
Base AV:N/AC:H/Au:N/C:C/I:C/A:C | Temporal E:F/RL:OF/RC:C

You could either use above mentioned guide to understand the scoring or feed a calculator with this data (DE, FR, ES, JP).

From today, the TYPO3 Security Team intends to publish CVSS data with every security bulletin on TYPO3 Core vulnerabilities.

We would like to hear your opinion on this new "feature"!

<- Back to: Security Team

comments

comment #1
Gravatar: Ingo Ingo April 8, 2010 20:44
Great to see more professional tools used. However, to me that seems very complex for anyone not familiar with security related topics as much as the security team members are. Therefor I'd recommend to stay with the low/medium/high rating to provide an easy and fast indication of the threat level of an issue.
I very much welcome the addition of the more detailed data though! Maybe the low/medium/high rating can be based on the overall score the calculator puts out. In addition the CVSS string should always be linked to that calculator as I think it's a great tool to help to easily understand the somewhat cryptic string (and what it is at all!) for many more people.
comment #2
Gravatar: Steffen Müller Steffen Müller April 9, 2010 00:28
Adding a link to the calculator in the bulletin will help a lot.
comment #3
Gravatar: Fedir Fedir April 9, 2010 11:19
Yeah, adding the direct link will help.
Thanks a lot.
comment #4
Gravatar: anonymous anonymous April 9, 2010 11:29
I support Ingo: CVSS info linked to the calculator + low/medium/hight rating based on the overall score.
comment #5
Gravatar: Pim Broens Pim Broens April 16, 2010 17:04
Nice to see this development. I agree with Ingo though on the part of direct linking. Would provide people without knowledge a nice way to get to know this.
Sorry, comments are closed for this post.