This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new e9c6d411c4 doc/CVSS
e9c6d411c4 is described below
commit e9c6d411c49d440f12fee2fb55bad6dfa277ebda
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Mar 6 02:54:40 2026 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Mar 20 22:01:43 2026 +0100
doc/CVSS
A simple (FFmpeg specific) guide how to choose CVSS
---
doc/CVSS.txt | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/doc/CVSS.txt b/doc/CVSS.txt
new file mode 100644
index 0000000000..9aacd38872
--- /dev/null
+++ b/doc/CVSS.txt
@@ -0,0 +1,40 @@
+This document is work in progress
+
+*What is CVSS*
+ The Common Vulnerability Scoring System (CVSS) is an open,
industry-standard framework used to measure and communicate the severity of
software vulnerabilities, ranging from 0.0 to 10.0.
+
+*Why we need this Document*
+ It is important that FFmpeg CVEs have consistent and correct CVSS, not
only for the obvious reason that one can recognize the severity of an issue at
first glance.
+ But also as these numbers form the basis of rewards paid in bug bounty
systems. Inconsistent CVSS could lead to unfair payouts.
+
+*What is this Document*
+ Prior 2026, FFmpeg had no guideline about CVSS.
+ This document describes how to select the CVSS for a FFmpeg related CVE.
It currently only covers the Base Score.
+
+*What is the CVSS Base Score*
+ AV Attack Vector (Network, Adjacent, Local, Physical)
+ AC Attack Complexity (Low, High)
+ PR Privileges Required (None, Low, High)
+ UI User Interaction (None, Required)
+ S Scope (Unchanged, Changed)
+ C Confidentiality (None, Low, High)
+ I Integrity (None, Low, High)
+ A Availability (None, Low, High)
+
+
+*Things people have set incorrectly*
+
+Below are general guidelines and in specific cases other things may apply.
+
+Attack Vector.
+ Quote from https://www.first.org/cvss/v3.1/user-guide
+ "Specifically, analysts should only score for Network or Adjacent when
a vulnerability is bound to the network stack.
+ Vulnerabilities which require user interaction to download or receive
malicious content (which could also be delivered locally, e.g., via USB drives)
should be scored as Local."
+
+Availability.
+ FFmpeg Crashes -> AVAILABILITY IMPACT: Low
+ FFmpeg is frequently used as a short-lived, single-run process instead of
a continuously running service that handles ongoing streams of user input. In
that usage model, a crash usually causes only limited disruption.
+
+User Interaction
+ Please consider if an attacker can actually set the parameters required
for an attack.
+ In general arbitrary filter parameters cannot be set by an attacker and
require the user/account owner/admin to set them
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
