Information about http://www.first.org/cvss/cvss_meeting_minutes_121906.pdf

Minutes for the CVSS SIG meeting ­ 12/19/2006 Meeting: This meeting…

Tags: barrie, bill evans, caudill, conference call, confidentiality, cvss, definitions, discrepancy, gavin reid, mathematicians, mell, oracle, sampling, sasha romanosky, scarfone, scheck, theall, vector, vulnerabilities, vulnerability,
Pages: 1
Language: english
Created: Wed Dec 20 20:28:14 2006
Display cached document
Page 1
image
Minutes for the CVSS SIG meeting ­ 12/19/2006 Meeting:
This meeting was held on Tuesday, December 19, 2006
Conference Call

Attending: Gavin Reid, Mike Scheck, Sasha Romanosky, George Theall, Karen Scarfone, Tim
Keanini, Bill Evans, Barrie Brook, Robin Sterzer

Agenda/Discussion:

   1) Report status on action items from previous meeting on, 11/14/06:
      a. Karen/Peter ­ Progress on CVSS equations ­ Changes have not been made to the
         equation.
      b. Peter/George ­ Research a creation of a web based calculator ­ They created the
         calculator and it has been created nicely.
      c. Peter/Karen ­ Take a sample of a few vulnerabilities and score them both ways ­
         Gavin has done some sampling. Discussed below in 2) a. and b.
      d. Gavin ­ Set up meetings with Oracle to discuss scoring ­ Gavin is attempting a new
         contact to set up a meeting. Setting up a meeting with Microsoft to include Gavin,
         Mike Caudill and Peter Mell.
      e. Gavin ­ Follow up on the confidentiality plus issues with Oracle ­ See 1)d.
   2) CVSS Structure, Strategy and Process:
      a. Changes in scoring in Version 1 to Version 2 for access vector local vs. access
         vector remote ­ There seems to be a huge disconnect between version 1 and 2.
         There is a difference between the definitions of "local" (account on the bots) and
         "remote" (trigger vulnerability over the internet). Karen will talk to the mathematicians
         about getting better numbers and use version 1 spread as an example
      b. Discuss discrepancy in Version 1 to Version 2 in sample scoring:
                                           Vector
                           AV:L/AC:L/Au:NR/C:C/I:N/A:N/B:N = 2.0
                             AV:L/AC:L/Au:NR/C:C/I:N/A:N = 7.8
                                        Base Score
                                              2.0
                                              7.8
      There is a huge jump in scoring. Work on 2)a. and then address this one
   3) Administrative:
      a. CVSS v1.x documentation status update and proposed changes ­ N/A
   4) Roundtable: Updates/Needs/Questions
      Sasha ­ Will come up with a list of questions and send to the list regarding the three
      scores. People do not understand the three scores and what it is suppose to do.
      Barry ­ Noticed in emails there was an equivalence to remote and Internet.

Action Items:

   1) Karen/Peter ­ Progress on CVSS equations
   2) Peter/Karen/Team ­ Take a sample of a few vulnerabilities and score them both ways
   3) Gavin ­ Set up meetings with Oracle to discuss scoring and follow up on the
      confidentiality plus issues with Oracle
   1) Karen ­ Discuss with the mathematicians the changes in scoring in Version 1 to Version
      2 for access vector local vs. access vector remote