Why is it important to use Common Vulnerability Scoring System (CVSS) to reference the ratings of vulnerabilities identified when preparing the final penetration testing report?
- It is an international standard for listing publicly known vulnerabilities.
- It has been adopted by many tools, vendors, and organizations.
- It is authorized by governments around the world.
- It is easy to use.
| Explanation & Hints:
In a typical final report, the section Findings should document technical details about whether or how the system under testing and related components may be exploited based on each vulnerability found. Using industry-accepted risk ratings for each vulnerability is a good idea, such as the Common Vulnerability Scoring System (CVSS). CVSS has been adopted by many tools, vendors, and organizations. Using an industry standard such as CVSS will increase the value of the final report.
|