Open ahouseholder opened 1 year ago
Following is what we had said about CVSS 3.1 in the State-based model paper
CVSS version 3.1 includes a few Temporal Metric variables that connect to this model. Unfortunately, differences in abstraction between the models leaves a good deal of ambiguity in the translation. The table below shows the relationship between the two models.
States | CVSS v3.1 Temporal Metric | CVSS v3.1 Temporal Metric Value(s) |
---|---|---|
$\cdot\cdot\cdot\cdot XA$ | Exploit Maturity | High (H), or Functional (F) |
$\cdot\cdot\cdot\cdot X \cdot$ | Exploit Maturity | High (H), Functional (F), or Proof-of-Concept (P) |
$\cdot\cdot\cdot\cdot x \cdot$ | Exploit Maturity | Unproven (U) or Not Defined (X) |
$Vf\cdot\cdot\cdot\cdot$ | Remediation Level | Not Defined (X), Unavailable (U), Workaround (W), or Temporary Fix (T) |
$VF\cdot\cdot\cdot\cdot$ | Remediation Level | Temporary Fix (T) or Official Fix (O) |
Some elements of CVSSv4 vectors have implications for interaction with Vultron states. We should map those out as a crosswalk similar to https://certcc.github.io/Vultron/reference/ssvc_crosswalk