NIST SP 800-33 2.0.1 says that "availability" part of the CIA triad protects against intentional or accidental attempts to either:
- perform unauthorized deletion of data or
- otherwise cause a denial of service or data
This makes it pretty clear that the ability to delete data does in fact modify availability from a security standpoint in general. However, the CVSS v2 spec states:
This metric measures the impact to availability of a successfully exploited vulnerability. Availability refers to the accessibility of information resources. Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.
All of the examples provided discuss service availability, not data availability. I know that CVSS v3 clears this up by explicitly stating:
...That is, the Availability metric speaks to the performance and operation of the service itself – not the availability of the data.
When scoring a vulnerability which provides the ability to delete data with CVSS v2, do you score it as impacting availability? Is it safe to assume that this clarification can be back-ported to v2?