This sounds really good Doug! I agree that neither of those traditional scoring metrics really take into account important factors of cloud deployments. In particular I think the position in the cloud is extremely important. I¹d be interested in working with you and the community to get some better way of scoring vulnerabilities for the cloud. Thanks, -Travis On 6/10/14, 4:55 AM, "openstack-security-request at lists.openstack.org" <openstack-security-request at lists.openstack.org> wrote: >- The Vulnerability framework should include position in cloud in the >calculation, e.g. ?under cloud infrastructure?, ?on cloud infrastructure?, >?public instance?