Is anyone using CVSS v3 in their enterprise environment? Seems Qualys only shows CVSS v2 for all vulnerabilities.
I dont know if Qualys plans to populate CVSS v3 on all vulnerabilities.
The CVSS v3 values are available. If you go to the KnowledgeBase and click on gear, you will see an option called Columns. From the list of available columns, you should see CVSS v3 scores.
only about 5k of the 30k+ vulnerabilities in the knowledge base have a CVSS v3 score. but practically all have a CVSS v2 populated.
There are currently no plans to associate CVSS v3.0 scores to CVEs that were already analyzed in the NVD prior to 12/20/2015. A subset of CVEs from before this time may be given CVSS v3.0 scores due to special cases or existence as examples in the CVSS v3.0 documentation.
Scores for the CVE vulnerabilities published between to 11/10/2005 and 11/30/2006 have been upgraded from CVSS version 1 data. CVSS v1 metrics did not contain granularity of CVSS v2 and so these scores are marked as "Version 2.0 upgrade from v1.0" within NVD. While these scores are an approximation, they are expected to be reasonably accurate CVSS v2 scores.
Scores provided for the 13,000 CVE vulnerabilities published prior to 11/9/2005 are approximated from only partially available CVSS metric data. Such scores are marked as "Version 2.0 Incomplete approximation" within NVD. In particular, the following CVSS metrics are only partially available for these vulnerabilities and NVD assumes certain values based on an approximation algorithm: Access Complexity, Authentication, Confidentiality Impact of 'partial', Integrity Impact of 'partial', Availability Impact of 'partial', and the impact biases.
I must have missed this. thank you!
Retrieving data ...