as a maintainer who has to review and define CVSS for other projects' CVEs, providing the level of details that curl does, on top of a severity, is much much more valuable than providing a CVSS vector.
Projects that just provide a CVSS vector without enough details makes it hard for distributors to review and set their own vectors.
Projects that provide all of the details around a CVE allow software distributors to very easily decide on their own CVSS and justify a deviation from NVD.
Siguza
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Siguza • • •Samuel Henrique
in reply to daniel:// stenberg:// • • •as a maintainer who has to review and define CVSS for other projects' CVEs, providing the level of details that curl does, on top of a severity, is much much more valuable than providing a CVSS vector.
Projects that just provide a CVSS vector without enough details makes it hard for distributors to review and set their own vectors.
Projects that provide all of the details around a CVE allow software distributors to very easily decide on their own CVSS and justify a deviation from NVD.
daniel:// stenberg://
in reply to daniel:// stenberg:// • • •