ahouseholder
commented
5 months ago Following is what we had said about CVSS 3.1 in the State-based model paper
CVSS version 3.1 includes a few Temporal Metric variables that connect to this model. Unfortunately, differences in abstraction between the models leaves a good deal of ambiguity in the translation. The table below shows the relationship between the two models.
| States | CVSS v3.1 Temporal Metric | CVSS v3.1 Temporal Metric Value(s) |
|---|---|---|
| $\cdot\cdot\cdot\cdot XA$ | Exploit Maturity | High (H), or Functional (F) |
| $\cdot\cdot\cdot\cdot X \cdot$ | Exploit Maturity | High (H), Functional (F), or Proof-of-Concept (P) |
| $\cdot\cdot\cdot\cdot x \cdot$ | Exploit Maturity | Unproven (U) or Not Defined (X) |
| $Vf\cdot\cdot\cdot\cdot$ | Remediation Level | Not Defined (X), Unavailable (U), Workaround (W), or Temporary Fix (T) |
| $VF\cdot\cdot\cdot\cdot$ | Remediation Level | Temporary Fix (T) or Official Fix (O) |
Some elements of CVSSv4 vectors have implications for interaction with Vultron states. We should map those out as a crosswalk similar to https://certcc.github.io/Vultron/reference/ssvc_crosswalk