Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
> No, the NVD ratings are entirely meaningless to us. In addition to
> security
> issues fixed in DSAs, there are also minor security fixes provided via
> the jessie point updates.
>
> Cheers,
> Moritz
1. If NVD ratings are meaningless to Debian's security team, how does the
security team prioritize which vulnerability should be fixed first before
others?
2. According to https://www.debian.org/security/, it states:
"Debian also participates in security standardization efforts: the Debian
Security Advisories are CVE-Compatible (review the cross references) and
Debian is represented in the Board of the Open Vulnerability Assessment
Language project."
If Debian Security Advisories are CVE-compatible, it means that the former
accept the NVD ratings included in CVEs, yes?
Reply to: