Toll-free in North America

1-833-2READINESS

Everywhere else:

+44 203 633 5432

CVSS Ratings Gets the Red, Amber Green Treatment

Greg Lambert
November 2, 2023
2 minutes

FIRST, the Forum of Incident Response and Security Teams has recently unveiled the latest version of their Common Vulnerability Scoring System (CVSS). This is a major update from V3 and the first in over 4 years.

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of four metric groups:

  • Base: intrinsic qualities of the reported vulnerability
  • Threat: metrics that relate to change of the threat over time
  • Environmental: relates to the target user’s system environment.
  • Supplemental: metrics which provide additional insight into the threat and are used to modify the environmental and Threat metrics.

When we talk of a security vulnerability being 9.9 out ten, this what we are referring to.

As side from numerous minor revisions, one of the major additions to this latest version of the CVSS vulnerability reporting system is the traffic light protocol (TLP). The Traffic Light Protocol (TLP) was created to facilitate greater sharing of sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP has a set of four labels used to indicate the sharing boundaries to be applied by the recipients:

  • TLP:RED = For the eyes and ears of individual recipients only, no further disclosure.
  • TLP:AMBER = Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients.
  • TLP:AMBER+STRICT restricts sharing to the organization only.
  • TLP:GREEN = Limited disclosure, recipients can spread this within their community.
  • TLP:CLEAR  = Recipients can spread this to the world, there is no limit on disclosure.

We at Readiness focused on communicating risk, threats, and prescriptive next steps for the past four years. It’s great to see how vulnerability reporting is maturing – especially with Red, Amber, Green glasses on. 🙂

To find out more about these latest changes and the CVSS reporting system in general:

Greg Lambert

CEO, Product Evangelist
Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.

Planning business modernization projects?

  • Windows 10/11 migration
  • MS server 2022
  • Migration to Azure

Is your application estate ready?

Assurance.

Unbounded.

3 months of patch protection, assessments and dependency reports for your entire portfolio.

  • No cost
  • No limit of applications
  • No software needed
  • No infrastructure required
  • No obligation
Contact us to get started