privateducky
commented
1 month ago This is in scope for our direction.
We've talked about running risks through CVSS scoring (https://www.first.org/cvss/v3.1/specification-document#7-4-Metric-Values) metrics to assign a proper score.
We currently support qualitative severity ratings, including "Critical", "High", "Medium", "Low" and "Informational". However, no UI element explains the justification for this risk rating. The customer should be able to see at a glance why the risk has the specified severity rating, based on the projected impact and requirements for exploitation.
There is no "one size fits all" severity rating system that meets the needs of all circumstances. However, @treburn and I believe that CVSS is the best all-around framework, and if we can only support one, I believe we should support CVSS 4.0 base scores. If possible, we should also support CVSS 4.0 environmental and temporal scores.