streamline SCS-0210 with SCS-0124

[fkr]

In SCS-0124 we write:

Critical (CVSS = 9.0 – 10.0): 3 hours
High (CVSS = 7.0 – 8.9): 3 days
Mid (CVSS = 4.0 – 6.9): 1 month
Low (CVSS = 0.1 – 3.9): 3 months

Our Policies should be the same where possible, so adjust this to match IaaS.

[fkr]

This was noticed by @janeczku and raised in our RKE2 session at the hackathon.

[mbuechse]

I agree that it may be beneficial to harmonize the two standards, but as far as I can tell, scs-0210 came first, and now I'm wondering why scs-0124 takes precedence.

[fkr]

I agree that it may be beneficial to harmonize the two standards, but as far as I can tell, scs-0210 came first, and now I'm wondering why scs-0124 takes precedence.

It does not take precedence, but it actually explains the chosen scores much better. Why did we pick 8 for critical in this standard? Technicially only >= 9.0 is critical. High is 7.0 - 8.9 - the IaaS standard explains this and also points to the BSI C5 common criteria. I've updated the change to explain this better.

Thanks for highlighting this!

[mbuechse]

If we now include CVEs with scores 7 through 8, this makes the regulation stricter, but the rule in question is only a recommendation, so we should be good.

[mbuechse]

Suggested change

	It is RECOMMENDED to provide a new patch version in a 3-day time period after their release, this
	It is RECOMMENDED to provide a new patch version in a 3-day time period after their release; this

[fkr]

If we now include CVEs with scores 7 through 8, this makes the regulation stricter, but the rule in question is only a recommendation, so we should be good.

or we explain why we chose 8 - that was the question that initially started this discussion and why i looked up what we do for IaaS.