RE: https://infosec.exchange/@firstdotorg/115967185455416136
With the CVSS SIG at FIRST we just published the Implementation Guide, quoting the opening:
"Vulnerability managers and analysts, those of you on the front lines of patch management and mitigation, this document is for you."
have a look at it, it should help you get out of CVSS vulnerability prioritization much better tailored to your environment!
According to internet monitor NetBlocks the shutdown in #Iran has been going on for 24 hours now. Yet, Iranians manage to get footage out of the country. Footage of massive anti-regime demonstrations in multiple cities all over the country. The #DigitalBlackoutIran costs the IRI tens of thousands of dollars every day. As the death toll is rising, protestors rather risk their lives and die on the streets then continue to live under the dictatorship.
@ainmosni everytime someone comes up with βwell, what if someone can physically touch..." then all bets are off buster brown. I've worked on NSA-certified tamper resistant TEMPEST qualified devices. The level of effort required is staggering, as is the price tag.
That is not your threat model.
Something I keep saying is βToo many people are worried about the threats they wish they had, not the risks they do have.β
We are excited to announce that CIRCL has three open positions available.
As a team strongly oriented towards open-source development, we value contributions that drive innovation and strengthen the cybersecurity community. These roles are open to EU citizens, with the workplace based in Luxembourg. If youβre passionate about cybersecurity and open-source collaboration, we encourage you to apply and make a meaningful impact.
π https://www.circl.lu/projects/position/software-engineering-analyst/
π https://www.circl.lu/projects/position/security-analyst-researcher/
π https://www.circl.lu/projects/position/nis2-incident-analyst/
If you regularly use CVSS to assess vulnerabilities, at the CVSS SIG in FIRST we would love to get to know more about how you use it and how you feel about it:
https://survey.alchemer.com/s3/8015778/CVSS
it's a brief survey and it will help us improve the support material for the current version of the standard and to identify changes that might go into the next releases. Thanks! π
The CVSS Special Interest Group is proud to announce the official release of CVSS v4.0. This latest release marks a significant step forward with added capabilities crucial for teams with the importance of using threat intelligence and environmental metrics for accurate scoring at its core.
Critical in the interface between supplier and consumer, CVSS provides a way to capture the principal characteristics of a security vulnerability and produces a numerical score reflecting its technical severity to inform and provide guidance to businesses, service providers, government, and the public.
The numerical score can be represented as a qualitative severity rating (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes and prepare defenses against cyber-attacks.
Furthermore, this system allows the consumer to also assess real-time threat and impact, arming them with vital information to help to defend themselves against an attack.
The Common Vulnerability Scoring System is a published standard used by organizations worldwide, and this latest version of CVSS 4.0 seeks to provide the highest fidelity of vulnerability assessment for both industry and the public.
More can be found here: https://first.org/cvss
NetBlocks
Gilda_GoLightly
Chris Petrilli
Alexandre Dulaunoy
FIRST.org