Severity Rating Systems – Part 1

Read the full Part 1 on CSOonline

Recently, Red Hat has raised some objections to my use in analysis of the High, Medium and Low severity ratings as determined by the National Institute of Standards (NIST) for the National Vulnerability Database (NVD) – found at

So, let me say that in my opinion, some of the concerns raised by Red Hat have merit and mirror some of the issues I’ve raised myself. 

On the other hand, the Red Hat motivation seems to be to impugn vulnerability comparisons where Red Hat might not come out on top, rather than to constructively identify the issues and propose some alternative that might work better, so I think a deeper look might be interesting.

I’ve posted up Part 1 on CSOonline.  Read the full details there and give me your thoughts as feedback.  I’m planning either one or two more follow-up posts to further explore severity rating systems and your feedback could very likely influence those posts…

Regards ~ Jeff

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »