Context: vuln tool vendors may not distribute exact SSVC metadata with vuln scanning signatures, but they do distribute CVSS v3, v4 and other metadata that is used for prioritization for reporting / remediation activities. In the absence of specific SSVC metadata, and wanting to make a good faith attempt at producing a decent mapping of SSVC metadata to available data:
-
Should SSVC scoring for "automatable" always line up exactly with CVSS v4 scoring for "Automatable (AU)" (and /or is it just pulled directly by the SSVC project from that source when available)? https://nvd.nist.gov/vuln-metrics/cvss/v4-calculator
-
Is there a specific set of CVSS v4 supplemental or other scoring (or some other CVSS-based scoring) that they use to cleanly define "Technical Impact" of "Partial" or "Total"? Given the defined criteria, would it be reasonable to map "High" severity for "Partial" and "Critical" to "Total" as a valid shorthand covering most cases?
Context: vuln tool vendors may not distribute exact SSVC metadata with vuln scanning signatures, but they do distribute CVSS v3, v4 and other metadata that is used for prioritization for reporting / remediation activities. In the absence of specific SSVC metadata, and wanting to make a good faith attempt at producing a decent mapping of SSVC metadata to available data:
Should SSVC scoring for "automatable" always line up exactly with CVSS v4 scoring for "Automatable (AU)" (and /or is it just pulled directly by the SSVC project from that source when available)? https://nvd.nist.gov/vuln-metrics/cvss/v4-calculator
Is there a specific set of CVSS v4 supplemental or other scoring (or some other CVSS-based scoring) that they use to cleanly define "Technical Impact" of "Partial" or "Total"? Given the defined criteria, would it be reasonable to map "High" severity for "Partial" and "Critical" to "Total" as a valid shorthand covering most cases?