So typically I use CVSSv2 as a good example of a metric that _doesn’t_ work well for OpenStack – or any virtualisation product. Proposing a vulnerability metric for OpenStack was on the agenda for the OSSG meet up but lower down the list than some other things and we didn’t get around to it. I asked Doug Chivers to provide some background research which he sent to the list some time ago and had some positive feedback. This might be a good thing to address in a design session, with appropriate preliminary work. From: Bryan Payne <bdpayne at acm.org<mailto:bdpayne at acm.org>> Date: Monday, 25 August 2014 18:19 To: Thierry Carrez <thierry at openstack.org<mailto:thierry at openstack.org>> Cc: "openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>" <openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>> Subject: Re: [Openstack-security] Where do we stand on formal process for classifying the severity of security bugs? Rob proposed something based on CVSS, but I've yet to see a process that we could include as part of the vulnerability management team processes. Could you provide a little more detail as to what is missing? It would be nice to move ahead with doing something like this. But perhaps I don't know what problems remain to be solved (or where OSSG could help with those problems). Thanks, -bryan