When it comes to the point-of-release review, it's very common to have arguments over the decision to move to the next stage or not among different stakeholders. For example, a development team may think it's a minor issue to proceed to the next stage, while the operation team may consider it a high-risk issue.
Therefore, to get a more objective standpoint on the severity and impact of a security issue, it's suggested to apply CVSS 3.0. CVSS 3.0, https://www.first.org/cvss/calculator/3.0, evaluates a security issue by answering the following eight questions:
- Attack Vector (AV): Does the attack require physical access, or can it be done through a network?
- Attack Complexity (AC): Can the attack be ...