In the first episode of Security Unscripted, Austin Kimbrell and Vincent Danen talk about some of the changes in CVSSv4 and why they matter as well as some of the challenges the security community at large has with the current use of CVSS, some challenges with respect to adoption, and just how many people still use CVSSv2 (even though CVSSv3 came out almost a decade ago!).
References:
- CVSS 3.1 specification document on base metric equations
- CVSS 4.0 specification document on the new scoring system
- PCI DSS Quick Reference Guide
- PCI DSS 4.0 manual
- CVSS 4.0 user guide on base scores measuring severity not risk
- CVSS 4.0 specification document on exploitability metrics
- CVSS 4.0 specification document on environmental metrics
- CVSS 4.0 user guide on assessing vulnerabilities in software libraries
- CVSS 4.0 user guide on vulnerable systems protected by a firewall
- CVSS 4.0 specification document on threat metrics
- CVSS 4.0 user guide on multiple CVSS base scores
- CVSS 4.0 FAQ on consumers applying environmental metric data
- CVSS training