Jump to: navigation, search

Security/VMT-Metrics

< Security
Revision as of 09:42, 12 November 2014 by Robert-clark (talk | contribs) (Introduction)

Introduction

The OpenStack Security Group suggests that when OpenStack Security Advisories are created by the VMT use the following metrics to score the potential impact of vulnerabilities on OpenStack Deployments

As with all scoring systems this will not be universally applicable but will provide basic guidance to the severity of each vulnerability.

The OSSG has adapted the DREAD metric as a basis for OpenStack vulnerability impact assessment. We adapted each of the scoring categories to better reflect the impact of a vulnerability in a cloud context.

DREAD

DREAD scores five categories, which are summed together and divided by five, the result is a score from 0-5 where 0 indicates no impact and 5 is the worst possible outcome:

Risk = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5