Talk:Common Vulnerability Scoring System

Permission for use granted by the CVSS SIG Chair Gavin Reid gavreid at cisco dot com and sent to permissions at wikimedia dot org

Rewrite for CV
I did a rewrite on the temp page. I removed a lot of details (it was long anyways), it still has a list of the metrics (rewritten) but whether the list would be copyrightable is gray. I added some commentary and retained the external links. RJFJR 22:27, 24 November 2006 (UTC)

Proposal for external link
I suggest the following article for reference:

The Common Vulnerability Scoring System - Magic Numbers or Snake Oil?

http://www.heise-security.co.uk/articles/89049

Note that I am a Heise editor and therfor will not add this myself because it is against our policy to spam. Please inform me, if you think that this kind of proposal violates the wikipedia policy.

193.99.145.162 08:16, 12 June 2007 (UTC) / ju (ju at heisec.de)
 * The deadlink above is now at http://www.h-online.com/security/features/The-Common-Vulnerability-Scoring-System-Magic-Numbers-or-Snake-Oil-747205.html Widefox ; talk 07:34, 6 February 2013 (UTC)

Rewrite needed for Adoption section
It talks about v2, while now v3 is widely used. Some of the sites in the list is even down. I don't have the knowledge to edit it. 37.26.148.212 (talk)

Do CVSS scores get peer reviewed?
For what I could read around in the web, the team that discovers a vulnerability, goes through the CVSS and set a score accordingly, but the issue - unless egregious - is not really peer reviewed. There are even CVEs that are disputed but the score doesn't change.

Is there a peer review or, due to the volume of CVEs, the original team decides and thus the score is not really "tested" ? (again, beside egregious problems).

Picking CVEs at random (all over 7 out of 10 in score) I couldn't find any peer review discussion about the score and the CVE in itself. Pier4r (talk) 09:45, 25 April 2024 (UTC)