cvss questions

[fire0088 () gmail com]

Recently,my company has started using CVSS v2 for our metrics.

Im satisfied with the corresponding values I get from the score calculator *until* I add in the "Target Distribution" 
score, which drastically cuts down on the vulnerability's "Overall CVSS Score."

As I understand it, and as the CVSS v2 manual states, the field "Target Distribution" is "the portion of vulnerable 
systems on the network."

Since my client has a large and varied network, vulnerabilities will always get the "target distribution" of 0%-25%.

This means my "Overall CVSS Score" gets dropped from a high rating between 8-10 to around 1.5 - 2.5 when target 
distribution is set to 0%-25%. Even if the targeted computers are mission critical, and their failure can result in 
loss of life, the corresponding value gets reduced.

Is my understadning of "Target Distribution" incorrect?

Is it ethical to set the "Target Distribution" to "Not Defined," even if I know exactly how many machines will be 
affected? If it is ok to do this, what justification can I provide if questioned on why the value was skipped.

Thanks for your help!




 


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------