CVSS is dead to us
daniel.haxx.se
CVSS is short for Common Vulnerability Scoring System and is according to Wikipedia a technical standard for assessing the severity of vulnerabilities in computing systems. Typically you use an online CVSS calculator, click a few checkboxes and radio buttons and then you magically get a number from 0 to 10. There are also different versions … Continue reading CVSS is dead to us →

Daniel Stenberg says the scores are “security misinformation”.

  • 𝕸𝖔𝖘𝖘English
    2612 days ago

    To a degree, he’s right. But it’s not the scores that are failing; it’s the scoring body.

    • @[email protected]English
      1312 days ago

      The scores do fail though - they don’t encompass enough information. They can’t encompass enough information because something that is critical in one sense (e.g., and making shit up here, Java listening to the internet) might not be in another (e.g. Java running on specific scientific data in an airgapped environment). Security is always situation and risk-appetite dependent. No number can encompass all that.

      • 𝕸𝖔𝖘𝖘English
        712 days ago

        No number can encompass all that.

        Maybe they should have a combo number would get us closer. But, still, the actual governing body must be completely impartial and logical in their rating. But also, we have to make a reality check on the priority of the rating in our own environments. Using your example, a 10 rating might be a 1 for that airgapped machine—judgement call.