Vendors agree vulnerability scoring system

Bug marks

RSA 2005 Leading IT suppliers are banding together to standardise the rating of security vulnerabilities. The scheme, called the Common Vulnerability Scoring System (CVSS), is designed to replace vendor-specific ratings and make it easier for users to prioritise security remediation work.

Announced last week at the RSA Conference in San Francisco, CVSS is backed by Cisco, Microsoft, Qualys and Symantec and others. It is part of a project by the US National Infrastructure Advisory Council, a division of the US Department of Homeland Security, to create a framework for disclosing security vulnerabilities. The severity and urgency of software bugs is gauged by CVSS against a standard set of metrics. "It's a new way to talk about vulnerability severity," Mike Schiffman, a Cisco researcher , told New Scientist.

CVSS scores a vulnerability according to seven factors, including whether a flaw allows an attacker access to confidential information, permits a cracker to modify data or allows an assailant to carry out a denial of service attack. It also takes into account whether or not a vulnerability is remotely exploitable or requires access to passwords. The time since a vulnerability was discovered is also measured in an assessment of its severity.

Qualys plans to release CVSS scores in data it supplies for the SANS (SysAdmin, Audit, Network, Security) Institute's free newsletters from later this year, New Scientist reports. Other vendors are yet to outline plans for how they will use CVSS, which is still in development. ®

Related stories

Security Report: Windows vs Linux
Cyber security alliance sets sights on Washington
Panel probes the half-life of bugs
Wormability formulae weighs malware risks

Sponsored: 10 ways wire data helps conquer IT complexity