HI! When is CVSS version 4 expected to be implemented in GSM? Is the implementation of EPSS also planned? Thank you.
CVSS 4 has been in a state of public preview and feedback for a while and was officially released on November 1st, 2023. However, NIST, MITRE, or even vendors issuing CVEs have not begun issuing CVSS 4 scores or vectors.
I guess Greenbone’s answer to the CVSS 4.0 implementation question is similar to the answer from Qualys:
CVSS v4 scoring will be integrated into Qualys VMDR while vendors begin to include CVSS v4 scores in their security advisories.
first of all you need to ask yourself which value does bring a CVSSv4 compared to a CVSSv3 to you personally. At the moment not much. Vendors will slowly adapt it and it will take several years to replace CVSSv3. Was the same with CVSSv3 and CVSSv2.
In summary, CVSS 4.0 and EPSS are currently in the research and planning phase at Greenbone. We do not yet have a time frame for when they will be introduced for our products.