@@ -25,4 +25,44 @@ response to security threats and operational issues:
2525
2626This level of support ensures that organizations can rely on DHI for their
2727mission-critical applications, with the assurance that security and stability
28- are maintained proactively.
28+ are maintained proactively.
29+
30+ ### How Docker defines Critical and High severity vulnerabilities
31+
32+ For consistent and accurate severity classification, Docker uses the same
33+ severity and scoring principles as [ Docker
34+ Scout] ( ../../scout/deep-dive/advisory-db-sources.md ) when determining whether a
35+ CVE is considered Critical or High.
36+
37+ #### Severity and scoring priority
38+
39+ Docker Scout uses two main principles when determining severity and scoring for
40+ CVEs:
41+
42+ - Source priority
43+ - CVSS version preference
44+
45+ For source priority, Docker Scout follows this order:
46+
47+ 1 . Vendor advisories: Scout always uses the severity and scoring data from the
48+ source that matches the package and version. For example, Debian data for
49+ Debian packages.
50+
51+ 2 . NIST scoring data: If the vendor doesn't provide scoring data for a CVE,
52+ Scout falls back to NIST scoring data.
53+
54+ For CVSS version preference, once Scout has selected a source, it prefers CVSS
55+ v4 over v3 when both are available, as v4 is the more modern and precise scoring
56+ model.
57+
58+ #### Vulnerability matching
59+
60+ Traditional tools often rely on broad [ Common Product Enumeration
61+ (CPE)] ( https://en.wikipedia.org/wiki/Common_Platform_Enumeration ) matching,
62+ which can lead to many false-positive results.
63+
64+ Docker Scout uses [ Package URLs
65+ (PURLs)] ( https://github.com/package-url/purl-spec ) to match packages against
66+ CVEs, which yields more precise identification of vulnerabilities. PURLs
67+ significantly reduce the chances of false positives, focusing only on genuinely
68+ affected packages.
0 commit comments