## Problem: Today we use a similar vocabulary for communicating Severity and Confidence. This leads to a confusing experience, especially where the two labels appear near to one another. Furthermore, we need to identify what the industry standard for vulnerability scoring is and address any discrepancies we may have in our experience. ## Findings More info and details can be found **[in this section](https://gitlab.com/gitlab-org/gitlab/issues/12229#confidence-level-proposal-remove-confidence-in-our-ui)** 1. The industry standard for vulnerability scoring is [CVSS](https://www.first.org/cvss/specification-document) * CVSS is in v3 and is being adopted by competitors in the space though there are a few who still align to the CVSS v2 framework. 1. Our severity levels do not currently align with the CVSS framework 1. Confidence is not a first-class UI element and should not be displayed to the user at this time. [details here](https://gitlab.com/gitlab-org/gitlab/issues/12229#note_244351476) 1. Confidence is a sub-class scoring vector for vulnerability scoring that is used in combination with other sub-class vectors to output a Risk or Severity of a vulnerability. ## Proposal > :warning: **Note** This is not a proposal to use the actual CVSS v3 scoring template and replace our scanner reported data. Simply put, we should adopt the severity framework so we can position our product for the eventuality of the inclusion of features coming along in ~"Category:Vulnerability Management" as well as adopt industry best practices. 1. Remove confidence from our UI 1. Remove Undefined severity level from our reports 1. All instances of Undefined severity levels should be translated into `Unknown`. * `Unknown` will become (no severity data) by definition. ## Value delivered - Less confusing experience for users when parsing vulnerability information - Seamless integration of 3rd party severity information - Seamless integration of imported vulnerability reports from 3rd parties (HackerOne) - A clearer understanding of our severity warnings with CVSS v3 documentation - A common framework for severity scoring based on industry standards - A solid foundation from which to consider more rich and advanced features for users in the future ## Decisions and outcomes from: https://gitlab.com/gitlab-org/gitlab/issues/12229 ``` 1. Remove confidence from our UI 1. Remove the use of `Undefined` in severity level from our reports 1. All instances of `Undefined` severity levels should be translated into `Unknown`. 1. Clearly explain `Unknown` means `no severity data` within the UI and docs. 1. Document how we normalize our severity values into our framework for each analyzer 1. Do the BE work to normalize our values into the new framework ``` ___