On Thu, 2026-04-23 at 13:24 +0200, Christoph Steiger wrote: > Hi all, > > currently DSA have the following urgency field values: high, medium, > low, unimportant, not yet assigned and end of life.
Hi, the question is about the security tracker data, hence forwarding to the debian-security-tracker ML. Felix > > In other formats, one example being the OSSF, the severity of a > vulnerability is rated with the CVSS scoring system [1]. I know that > Debian does not adhere to that scoring system, but the ratings of a > score are very similar to the DSA Urgency field [2] (Section 5, Table > 14): Critical, High, Medium, Low and None. > > I could not find any "hard" criteria for the assessment of the Urgency > of DSAs, and I assume this is done by intuition of the Debian security > team. Most of the people involved in a vulnerability remediation process > are used to the CVSS scoring system and its ratings (or so I have heard, > I am not one myself). Having such similar rating names might lead to > confusion about their meaning as it might be different and thus cause > friction in vulnerability remediation processes. > > So my first questions would be how the Urgency is determined, and if the > determination is somewhat related to the CVSS qualitative ratings? And > secondly what would we think about adding a new Urgency: critical? Would > it be useful and how much effort would it be to implement? > > [1] https://ossf.github.io/osv-schema/#severitytype-field > [2] https://www.first.org/cvss/v3.0/specification-document > > Best regards, > Christoph Steiger > -- > Siemens AG, Foundational Technologies > Linux Expert Center -- Siemens AG Linux Expert Center Friedrich-Ludwig-Bauer-Str. 3 85748 Garching, Germany
