RiskBasedPrioritization
diff --git a/‎assets/images/cvss-bt-counts.png‎
1.4 KB b/‎assets/images/cvss-bt-counts.png‎
1.4 KB
diff --git a/‎assets/images/cvss-bt-counts_above.png‎
8.35 KB b/‎assets/images/cvss-bt-counts_above.png‎
8.35 KB
diff --git a/‎assets/images/cvss_bt_bar.png‎
196 Bytes b/‎assets/images/cvss_bt_bar.png‎
196 Bytes
diff --git a/‎assets/images/cvss_bt_parcat.png‎
3.59 KB b/‎assets/images/cvss_bt_parcat.png‎
3.59 KB
diff --git a/‎print_page/index.html‎
Lines changed: 8 additions & 8 deletions b/‎print_page/index.html‎
Lines changed: 8 additions & 8 deletions
@@ -5395,7 +5395,7 @@ <h1 class='nav-section-title' id='section-takeaway'>
 <p>Throughout this guide, the building blocks for <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Based Prioritization have been detailed and analyzed.</p>
 <p>Code and analysis is provided for 3 <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Based Prioritization schemes to allow comparison and refinement: </p>
 <ol>
-<li><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Temporal &amp; Threat Metrics (adding Exploitation info per the <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> standard)<ol>
+<li><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> v3 Temporal Metric - Exploit Code Maturity (E) (adding Exploitation info per the <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> standard)<ol>
 <li>The data from "<a href="https://github.com/t0sche/cvss-bt">Enriching the <abbr title="National Vulnerability Database">NVD</abbr> <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> scores to include Temporal &amp; Threat Metrics</a>" is used here.</li>
 </ol>
 </li>
@@ -5417,15 +5417,15 @@ <h1 class='nav-section-title' id='section-takeaway'>
 At the beginning of the guide it was stated that <a href="#introduction-introduction-writing-style">the "writing style" in this guide is "succinct and opinionated"</a>.</p>
 <p>This section "leads with an opinion", and associated rationale.</p>
 </div>
-<p><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="m13 18.9 6.1-6.1 2.1 2.1-6.1 6.1H13v-2.1m8.4-7.6 1.3 1.3c.2.2.2.5 0 .7l-1 1-2.1-2 1-1c.1-.1.2-.2.4-.2s.3 0 .4.2M11 21H5c-.5 0-1-.2-1.4-.6-.4-.4-.6-.9-.6-1.4V5c0-.5.2-1 .6-1.4C4 3.2 4.5 3 5 3h14c1.1 0 2 .9 2 2v4h-2V5H5v14h6v2m4-9-5-4v8l5-4Z"/></svg></span> <a href="https://colab.research.google.com/drive/1LOps2ViFbAp5eyC5UG_cr-5bZ8i_4U8B#scrollTo=HHyjMx-Ku7eQ">Colab NoteBook <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base vs <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base &amp; Threat</a> </p>
-<p><img alt="🧑‍💻" class="twemoji" src="https://cdn.jsdelivr.net/gh/jdecked/twemoji@15.0.3/assets/svg/1f9d1-200d-1f4bb.svg" title=":technologist:" /> <a href="https://github.com/RiskBasedPrioritization/RiskBasedPrioritizationAnalysis/blob/main/analysis/cvss-bt.ipynb"><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base vs <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base &amp; Threat Source Code</a></p>
+<p><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="m13 18.9 6.1-6.1 2.1 2.1-6.1 6.1H13v-2.1m8.4-7.6 1.3 1.3c.2.2.2.5 0 .7l-1 1-2.1-2 1-1c.1-.1.2-.2.4-.2s.3 0 .4.2M11 21H5c-.5 0-1-.2-1.4-.6-.4-.4-.6-.9-.6-1.4V5c0-.5.2-1 .6-1.4C4 3.2 4.5 3 5 3h14c1.1 0 2 .9 2 2v4h-2V5H5v14h6v2m4-9-5-4v8l5-4Z"/></svg></span> <a href="https://colab.research.google.com/drive/1LOps2ViFbAp5eyC5UG_cr-5bZ8i_4U8B#scrollTo=HHyjMx-Ku7eQ">Colab NoteBook <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base vs <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base &amp; Temporal Metric - Exploit Code Maturity/Exploitability (E)</a> </p>
+<p><img alt="🧑‍💻" class="twemoji" src="https://cdn.jsdelivr.net/gh/jdecked/twemoji@15.0.3/assets/svg/1f9d1-200d-1f4bb.svg" title=":technologist:" /> <a href="https://github.com/RiskBasedPrioritization/RiskBasedPrioritizationAnalysis/blob/main/analysis/cvss-bt.ipynb"><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base vs <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> v3 Base &amp; Temporal Metric - Exploit Code Maturity/Exploitability (E) Source Code</a></p>
 <p><img alt="🧑‍💻" class="twemoji" src="https://cdn.jsdelivr.net/gh/jdecked/twemoji@15.0.3/assets/svg/1f9d1-200d-1f4bb.svg" title=":technologist:" /> <a href="https://github.com/RiskBasedPrioritization/RiskBasedPrioritizationAnalysis/blob/main/cisa_ssvc_dt/DT_from_scratch.ipynb"><abbr title="SSVC Stakeholder-Specific Vulnerability Categorization">SSVC</abbr> Source Code</a> </p>
 </div>
-<h3 id="risk-rbp_schemes-cvss-temporal-threat-metrics"><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Temporal &amp; Threat Metrics<a class="headerlink" href="#risk-rbp_schemes-cvss-temporal-threat-metrics" title="Permanent link">&para;</a></h3>
-<p>Exploitation data is added per the <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> standard as described in <a href="#cvss-cvss-cvss-exploit-maturity"><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr></a>.</p>
+<h3 id="risk-rbp_schemes-cvss-and-temporal-metric-exploit-code-maturity-e"><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> and Temporal Metric - Exploit Code Maturity (E)<a class="headerlink" href="#risk-rbp_schemes-cvss-and-temporal-metric-exploit-code-maturity-e" title="Permanent link">&para;</a></h3>
+<p>Exploitation data is added per the <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> v3 standard as described in <a href="#cvss-cvss-cvss-exploit-maturity"><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr></a>.</p>
 <figure>
 <p><img alt="" src="../assets/images/cvss_bt_parcat.png" /></p>
-<figcaption>The effect of CVSS Base &amp; Threat is to move some CVEs down a Rating e.g. some Critical CVEs move to High</figcaption>
+<figcaption>The effect of CVSS v3 Temporal Metric - Exploit Code Maturity (E) is to move some CVEs down a Rating e.g. some Critical CVEs move to High</figcaption>
 </figure>
 <h3 id="risk-rbp_schemes-cvss-base-score-ratings-with-exploitation-focus"><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base Score Ratings with Exploitation Focus<a class="headerlink" href="#risk-rbp_schemes-cvss-base-score-ratings-with-exploitation-focus" title="Permanent link">&para;</a></h3>
 <p>A simple illustrative scheme that combines Base Score Ratings with Exploitation status is defined here.</p>
@@ -5531,7 +5531,7 @@ <h3 id="risk-rbp_schemes-ssvc-decision-trees"><abbr title="SSVC Stakeholder-Spec
 <div class="admonition observations">
 <p class="admonition-title">Observations</p>
 <ol>
-<li>The standard <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Temporal &amp; Threat Metrics as described in <a href="#cvss-cvss-cvss-exploit-maturity"><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr></a> does not significantly (de)prioritize CVEs.<ol>
+<li>The standard <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> v3 Temporal Metric - Exploit Code Maturity (E) as described in <a href="#cvss-cvss-cvss-exploit-maturity"><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr></a> does not significantly (de)prioritize CVEs.<ol>
 <li>While it uses Exploitation Evidence, it does not <strong>focus on</strong> Exploitation Evidence like the other 2 schemes presented</li>
 <li>is based on a standard, but exactly how to use the different types of Exploitation Evidence is not standard or defined</li>
 </ol>
@@ -5560,7 +5560,7 @@ <h3 id="risk-rbp_schemes-ssvc-decision-trees"><abbr title="SSVC Stakeholder-Spec
 <table>
 <thead>
 <tr>
-<th><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Temporal &amp; Threat Metrics</th>
+<th><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> v3 Temporal Metric - Exploit Code Maturity (E)</th>
 <th><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base Score Ratings with Exploitation Focus</th>
 <th><abbr title="SSVC Stakeholder-Specific Vulnerability Categorization">SSVC</abbr> Decision Trees</th>
 </tr>