To help assess the risk presented by a particular vulnerability, the NIST (National Institute of Standards and Technology) is an internationally recognised standards body that, among other things:

  • labels vulnerabilities with a CVE (Common Vulnerabilities and Exposures) number, and

  • rates with a CVSS (Common Vulnerability Scoring System) number out of 10 (with 10 being most critical) the impact of software vulnerabilities

In the case of Shellshock (CVE-2014-6271) for example, the CVSS rating was 10 and an incomplete patch release resulted in a further vulnerability (CVE-2014-7169 ), also rated 10, to track the completion of the patch.

When a CVSS rating is 5 (eg. Heartbleed) or higher, your organisation may have agreed the patch needs to be accelerated beyond that which you may normally have as part of your patching regime.

Leave a Reply

Your email address will not be published. Required fields are marked *