From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 19 Dec 2024 13:25:32 +0000 (+0100)
Subject: VULN-DISCLOSURE-POLICY.md: mention the not setting CVSS
X-Git-Tag: curl-8_12_0~315
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cfb97e1fcf6fcbd59df5375753264122da827016;p=thirdparty%2Fcurl.git

VULN-DISCLOSURE-POLICY.md: mention the not setting CVSS

Closes #15779
---

diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md
index fa379cf534..e10b489062 100644
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -153,6 +153,15 @@ levels depending how serious we consider the problem to be. We use **Low**,
 **Medium**, **High** and **Critical**. We refrain from using numerical scoring
 of vulnerabilities.
 
+We do not support CVSS as a method to grade security vulnerabilities, so we do
+not set them for CVE records published by the curl project. We believe CVSS is
+a broken system that often does not properly evaluate to suitable severity
+levels that reflect all dimensions and factors involved. Other organizations
+however set and provide CVSS scores for curl vulnerabilities. You need to
+decide for yourself if you believe they know enough about the subjects
+involved to make reasonable assessments. Deciding between four different
+severity levels is hard enough for us.
+
 When deciding severity level on a particular issue, we take all the factors
 into account: attack vector, attack complexity, required privileges, necessary
 build configuration, protocols involved, platform specifics and also what