We would like to suggest adding product specific metrics such as cvss score 3.1 and 4.0.
This would allow us to score/describe a vulnerability according to the way our products are actually affected.
We would propose that this information would be placed as a property of each affected entry. Naming would be x_metrics or just metrics, and it would have the same validations as the metrics already present for the cve.
We have also suggested this new property in the sadp pilot: CVEProject/sadp-pilot#13
Example:
{
"vendor":"XXXX",
"product":"Product X",
"versions":[
{
"status":"affected",
"version":"0",
"lessThan":"VX",
"versionType":"custom"
}
],
"defaultStatus":"unknown",
"x_metrics":[
{
"cvssV3_1":{
"version":"3.1",
"vectorString":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L",
"baseScore":5.2,
"baseSeverity":"MEDIUM"
}
},
{
"cvssV4_0":{
"version":"4.0",
"vectorString":"CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:L/SC:H/SI:N/SA:L",
"baseScore":2.0,
"baseSeverity":"LOW"
}
}
]
}
]
We would like to suggest adding product specific metrics such as cvss score 3.1 and 4.0.
This would allow us to score/describe a vulnerability according to the way our products are actually affected.
We would propose that this information would be placed as a property of each affected entry. Naming would be x_metrics or just metrics, and it would have the same validations as the metrics already present for the cve.
We have also suggested this new property in the sadp pilot: CVEProject/sadp-pilot#13
Example: