CVSS

Definition

The Common Vulnerability Scoring System (CVSS) is a standardized framework used to assess the severity of security vulnerabilities in software systems. It provides a numerical score reflecting the potential impact of a vulnerability, which helps organizations prioritize their response and remediation efforts. CVSS scores are calculated based on several metrics, including the ease of exploitability, the impact on confidentiality, integrity, and availability, and the scope of the affected system.

Secure Settings Example

# Example of a security policy using CVSS for vulnerability management
vulnerability_management:
  cvss_threshold: 7.0
  actions:
    - notify_security_team: true
    - patch_immediately: true
  exceptions:
    - approved_by: security_officer
    - valid_until: 2023-12-31

Insecure Settings Example

# Example of a poor security policy ignoring CVSS scores
vulnerability_management:
  cvss_threshold: 10.0
  actions:
    - notify_security_team: false
    - patch_immediately: false
  exceptions:
    - approved_by: junior_staff
    - valid_until: 2025-01-01