AnsweredAssumed Answered

Req 6.2 - PCI 2.0 - What CVSS score is regarded as 'High' risk?

Question asked by Alan Dzarasov on Dec 29, 2010
Latest reply on Jan 3, 2011 by James.Beers

Requirement 6.2 : Assign risk ranking to vulnerabilities (Internal scanning)

Reading this blog: https://community.qualys.com/blogs/qualys-tech/2010/10/28/pci-dss-20-published a merchant is to "come up with a risk ranking" based on Inductry Best Practice - e.g. CVSS. Also "At minimum there should be process in place to make critical high risk  vulnerabilities as "HIGH"."

 

All CVSS scores (Base, Temporal & Environmental) are defined as value between 0 and 10.

 

Is there a clear definition of 'High' score for CVSS? I heard an opinion that CVSS 4.0 is the division line for 'High' risk, but who has defined it, and why not 3.0 or 6.0? Or was it used just for example? Or it is up to merchant to define as well? Has anyone come across a widely accepted by Industry definition of 'High' risk for CVSS score?

Outcomes