CVSS 4.0

- addresses parts of oasis-tcs#652 - explicitly mention names of Exploitability throughout the different CVSS versions
tschmidtb51 · Feb 27, 2024 · 66834eb · 66834eb
1 parent 49ff91a
commit 66834eb
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md
@@ -750,7 +750,8 @@ Valid values are:
 The value `exploit_status` indicates that the `details` field contains a description of the degree to which an exploit for the vulnerability is known.
 This knowledge can range from information privately held among a very small group to an issue that has been described to the public at
 a major conference or is being widely exploited globally.
-For consistency and simplicity, this section can be a mirror image of the CVSS "Exploitability" metric.
+For consistency and simplicity, this section can be a mirror image of the CVSS `exploitMaturity` (v4.0),
+respectively `exploitCodeMaturity` (v3.1 and v3.0) or `exploitability` (v2.0) metric.
 However, it can also contain a more contextual status, such as "Weaponized" or "Functioning Code".
 
 The value `impact` indicates that the `details` field contains an assessment of the impact on the user or the target set if