Automatic vulnerability scoring decision

[adulau]

Following a discussion with @cedricbonhomme about automatic scoring with information within vulnerability-lookup, an automatic vulnerability scoring decision can be calculated automatically:

Mapping for vulnerability lookup

• Track - The vulnerability is sourced in vulnerability lookup from one or more sources without any sighting or comments.
• Track* - The vulnerability is sourced (or not for vulnerability without source publication) in vulnerability lookup from one or more sources with one or more comments or one sighting from non-sources (not NVD or alike).
• Attend - The vulnerability is sourced (or not for vulnerability without source publication) in vulnerability lookup from one or more sources with one or more comments or two or more sightings from non-sources (not NVD or alike).
• Act - The vulnerability is sourced (or not for vulnerability without source publication) in vulnerability lookup from one or more sources with one or more comments or two or more sightings from non-sources (not NVD or alike) and present in KEV (CISA) or KEV (local instance) flag?.

Based on CISA - THE VULNERABILITY SCORING DECISION - Page 3