The CVSS model includes a base, temporal, and environmental component or score which contributes to the overall score. As part of the notification process, NetApp provides an evaluation of the Base and Temporal vulnerability scores. Consumers of the vulnerability notification are encouraged to compute the environmental score based on their unique environment. The combination of all three scores should be considered the final score, which represents a moment in time and is specific to the consumer's environment.
NetApp uses a combination of the base and temporal score when prioritizing the vulnerability responses. Additionally, NetApp uses the following CVSS guidelines when determining how and when vulnerability will be disclosed:
- Security Alert – provide information about significant security vulnerabilities that directly affect NetApp products and require a software upgrade, patch, or other customer action to remediate.
- Security Notice –document low and medium severity security issues that directly involve NetApp products but do not warrant the visibility of a NetApp Security Advisory.
- Security Response –address issues that require a response to information discussed in a public forum, such as a blog or discussion list.
- Security responses are normally published if a third party makes a public statement about a NetApp product vulnerability.
- Release Note Enclosure – provides information about low severity security vulnerabilities.
NetApp security publications are organized by Common Vulnerabilities and Exposures (CVE) Identifier to facilitate correlation of security issues across NetApp products.
For more information about CVSS, visit the FIRST.org web site.