Common Vulnerability Scoring System The State of CVSS for the

Common Vulnerability Scoring System The State of CVSS for the 2020s Dave Dugal Juniper Networks Dale Rich DTCC Co-chairs of CVSS Special Interest Group

Agenda Current Status of CVSS v3.1 The Hopes and Dreams of CVSS v4.0 Highlights: Approved and Proposed Work Items How to Get Involved Open Q&A

Current Status of CVSS CVSS v3.1 published in June 2019 Improves upon v3.0 without introducing new metrics or values o Allows for frictionless adoption of the new standard Usability was a prime consideration o o o o Improve the clarity of concepts introduced in CVSS v3.0 Improve the overall ease of use of the standard Clarify definitions with better explanations of existing base metrics Lots and lots of examples of “Scope” described in Section 3.5 of the User Guide Defined the CVSS Extensions Framework CVSS Glossary of Terms expanded and refined

Where we’ve been and where we’re going CVSS v3.x – Objectives o The challenges of virtualization (Scope) o Increased objectivity and repeatability o Removed the “middle 90%” Impact issue CVSS v4.0 – Looking Forward o Threat Intelligence metrics Exploitability vs. Likelihood of Attack o o o o o Cloud Services and OT Concepts of “Survivability” and “Resilience” to measure recovery effort Active vs. Passive “User Interaction” “Attack Complexity” vs. “Attack Requirements” Nomenclature

The Hopes and Dreams of CVSS v4.0 Expand applicability from classic IT to OT and Cloud Services Operationalizing Threat Intelligence Considering a new “Severity” Metric Group o Category of Exploit o Kinetic Impact o Collateral Damage o Motility o Persistence Active vs. Passive “User Interaction” “Attack Complexity” vs. “Attack Requirements” Note: CVSSv4 targeting June 2021 FIRST Conference to announce publication

CVSS v4.0: Approved Proposals Temporal Metric Group is replaced by the “Threat Metric Group” “User Interaction” (Active vs. Passive) “Attack Requirements” base metric o Added to compliment “Attack Complexity” Clarification of “Scope” Removal of “Report Confidence” and “Remediation Level”

CVSS v4.0: Proposed Work Items New “Severity” Metric Group Support for Unknown (X) values in Base Score New “Threat Intelligence Confidence” Likelihood of exploit at scale “Resilience” “Ease of Mitigation” “Kinetic Impact” “Collateral Damage” Nomenclature Check out https://bit.ly/cvssv4-workitems for complete list

Get Involved! The CVSS SIG holds weekly conference calls to discuss improvements to the standard Meetings to discuss CVSS v4.0 occur on Thursday at 13:00 ET Become an active Participant in the meetings, or just join our mailing list as an Observer Details of how to get involved are on the CVSS home page: https://www.first.org/cvss Or rock it old school, and drop us an e-mail: [email protected]