Adopt CVSS scoring system

[EdOverflow]

I would highly recommend we start using CVSS terminology and scores to classify security reports.

Here is a CVSS v3 calculator: https://nvd.nist.gov/CVSS/v3-calculator

[chadwhitacre]

Of course there's a calculator inline on HackerOne as well:

That's on https://hackerone.com/reports/176396. @dmk246 Are you okay with adopting this? It's more complicated but more accurate as a result.

[EdOverflow]

@whit537 I just wanted our team to play around with CVSS, before coming to a conclusion. ;)

[chadwhitacre]

Did you fudge the calculation to get it to come out "Medium," or was that a happy coincidence? :)

[EdOverflow]

Let's call it a happy coincidence. ;)

In all seriousness, I am fairly confident that my calculation is correct. Feel free to check it and let me know if you find something wrong.

[dmk246]

@EdOverflow can you check out #165313 and see if it is rated correctly? @whit537 and I went through this one to help me understand it better.

[EdOverflow]

@dmk246 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N is spot on! :)

[dmk246]

Thanks @EdOverflow!!!
and @whit537 for your help!!

[chadwhitacre]

if we’re going to go with CVSS then I think we’ll need to revise our bounties along with that.

slack

[chadwhitacre]

I don't find the slack link now, but @EdOverflow commented that "Everything is coming out medium" is a known problem with CVSS v3. If that's the case then it may be better to stick with the simple five-point scale instead of going with CVSS.

[chadwhitacre]

Let's try and close this with #1018.

@EdOverflow @dmk246 Can you go ahead and reclassify all triaged reports according to CVSS? That should give us enough info to decide on bounty amounts. We're leaning towards $0 for Medium, but it would be good to have a sense of how common High will be before committing to a revised amount there.

[EdOverflow]

Can you go ahead and reclassify all triaged reports according to CVSS?

I'm on to it.