We will switch to CVSS v3.0 starting in 2018
After our announcement back in January this year, and a transition phase where we scored both version 2 and version 3, we will finally switch entirely to the Common Vulnerability Scoring System (CVSS) version 3.0 for vulnerability assessment with the beginning of 2018.
Customers who automatically check our v2 scoring will no longer see any values for new emerging security incidents starting in the first week of January 2018. However switching to the v3 scoring is really simple if you only check the base metrics score, as this is still a numerical result between 0.0 and 10.0.
With the switch to the new scoring system we will provide SUSE Linux Enterprise Live Patching for all kernel issues rated “High” or “Critical” (CVSS v3 score >= 7.0).
CVSS scores are only a simple representation of security vulnerabilities that allow stakeholders to act quickly on new emerging threats. This should not replace a closer look if a system is really vulnerable or not.
For more background details about CVSS v3, please revisit our blog post from January 2017.