CVSS v3 as vulnerability assessment scale for 2.x

Abstract

Currently the assessment of MyBB vulnerabilities is being performed without basing on a strict model and the scale description is not accessible publicly - aiming for better credibility and organization, the MyBB Group should introduce both.

Proposal

Adopt the Common Vulnerability Scoring System v3.0 (https://en.wikipedia.org/wiki/CVSS) as the software security vulnerability risk assessment scale for MyBB 2.x.

Justification

CVSS is a technical standard that provides comprehensible and consistent risk scale of security vulnerabilities and helps further task prioritization in third party organizations.

The CVSS-based scale comprises of 8 base metrics:

• Exploitability Metrics
  • Attack Vector (AV)
  • Attack Complexity (AC)
  • Privileges Required (PR)
  • User Interaction (UI)
• Scope (S)
• Impact Metrics
  • Confidentiality (C)
  • Integrity (I)
  • Availability (A)

Combined, they give a CVSS score varying from 0 to 10, rounded up to one decimal place. The scores can represented in text form (None, Low, Medium, High, Critical).

Additional factors can be included in order to account for exploitability at a given point of time and organization-specific environment.

The score can be computed using existing calculators, such as: https://www.first.org/cvss/calculator/3.0.

Effects & Implications

Each vulnerability fixed in a release will be listed in the corresponding release notes along with its CVSS score and vector string containing values assigned to each metric.

Metadata

• First draft: 17 Nov 2015
• Author(s): Devilshakerz
• Status: Accepted