How does the Juniper Networks Security Incident Response Team (Juniper SIRT) use the Common Vulnerability Scoring System (CVSS)?
The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity, as well as a textual representation of that score. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
CVSS provides standardized vulnerability scores. When an organization uses a common algorithm for scoring vulnerabilities across all IT platforms, it can leverage a single vulnerability management policy defining the maximum allowable time to validate and remediate a given vulnerability. As an open framework, the individual characteristics used to derive a score based on standardized metrics are transparent.
Juniper Networks uses CVSS for all reported vulnerabilities. The CVSS Base Score is used to gauge the severity and set priorities for the fix and remediation. Customers can use the Base Score to perform a full CVSS assessment (see the CVSS Guide below). The total CVSS Score will provide customers with a more precise understanding of the vulnerability's severity as it relates to their specific network.
In June 2015, the FIRST CVSSv3 Special Interest Group (SIG), of which Juniper Networks is an actively participating member, published version 3.0 of the CVSS specification. CVSS v3.0 is quickly gaining worldwide adoption, and beginning in October 2015, the Juniper SIRT will be publishing CVSSv3 Base Scores for all Juniper Security Advisories going forward. Refer to Changes in CVSS v3.0 in the CVSS v3.0 User Guide for more information about the improvements to the CVSS specification found in version 3.0.