Hi all,
currently DSA have the following urgency field values: high, medium,
low, unimportant, not yet assigned and end of life.
In other formats, one example being the OSSF, the severity of a
vulnerability is rated with the CVSS scoring system [1]. I know that
Debian does not adhere to that scoring system, but the ratings of a
score are very similar to the DSA Urgency field [2] (Section 5, Table
14): Critical, High, Medium, Low and None.
I could not find any "hard" criteria for the assessment of the Urgency
of DSAs, and I assume this is done by intuition of the Debian security
team. Most of the people involved in a vulnerability remediation process
are used to the CVSS scoring system and its ratings (or so I have heard,
I am not one myself). Having such similar rating names might lead to
confusion about their meaning as it might be different and thus cause
friction in vulnerability remediation processes.
So my first questions would be how the Urgency is determined, and if the
determination is somewhat related to the CVSS qualitative ratings? And
secondly what would we think about adding a new Urgency: critical? Would
it be useful and how much effort would it be to implement?
[1] https://ossf.github.io/osv-schema/#severitytype-field
[2] https://www.first.org/cvss/v3.0/specification-document
Best regards,
Christoph Steiger
--
Siemens AG, Foundational Technologies
Linux Expert Center
