Consider adopting new CVSS 4.0 for security vulnerability evaluation

[GuySartorelli]

Currently we use the cvss v3 calculator when determining the severity of a security vulnerability.

CVSS 4.0 is now available. That link includes a FAQ, examples, and a calculator among other information.

We should probably adopt the new CVSS standard for evaluating the severity of vulnerabilities.

[GuySartorelli]

@silverstripe/core-team Anyone got any thoughts on this?

[emteknetnz]

The natural answer is "yes", though I'm not sure what implications there would be for our security process

Probably makes sense to move this our internal refinement column to put some AC's around doing a quick bit of research on what the implications are before making a decision

[sminnee]

No strong feelings on this. It seems like a good idea to move to the latest version, but would this have materially changed our response to any of the last few significant security issues?

[madmatt]

For the most part it looks like not a lot changes to be honest. There's a few more categories to fill out, and based on those in their typical examples it seems that the score is generally reduced by a bit.

I'd say it would very slightly increase the workload to do the CVSS calculation in the first place, but not much more than that really. I don't see any need for us to back-compat and provide two CVSS values, just switch to using 4.0 exclusively.