CVSS is short for Common Vulnerability Scoring System and is according to Wikipedia a technical standard for assessing the severity of vulnerabilities in computing systems. Typically you use an online CVSS calculator, click a few checkboxes and radio buttons and then you magically get a number from 0 to 10. There are also different versions … Continue reading CVSS is dead to us →
  • sylver_dragonEnglish
    310 days ago

    While I understand the author’s frustration, I fear this is an example of letting perfect be the enemy of good. Yes, CVSS scores are flawed, but the solution offered by the author is completely unworkable and is pretty much the reason CVSS exists:

    The problem is grounded in the fact that a single one-dimensional score is just too limited. Every user or distributor of the project should set scores for their different use cases. Maybe even different ones for different cases. Then it could perhaps work.

    Organizations have a lot of software and that software is going to have vulnerabilities found from time to time. While the perfect solution will always be “fix all the things”, most organizations will not have the time and budget to make all of that happen instantly. Changes need to be tested, staged and rolled out in a controlled manner, lest and buggy update bring things down. The end result is that organizations need a way to assign priority based on risk. If every software supplier is handing out severity, based on some internal metric, how does an organization compare them? The short answer is, they can’t. Much as the author points out, the only people who know the software internals well enough to really do that is to authors themselves. But, when the author’s project puts out a “medium” how does that compare to another project’s “medium”. Or, if some project puts out a “4”, do we prioritize the “medium” the “medium” or the “4”? After a certain point, there will simply be too many different products using wildly different criteria for IT organizations to keep up. And then there is the issue of reputational scoring. What happens when a company decides they would rather downplay the severity of a vulnerability and so publish it as a “green” when maybe is should have come in at a much higher level? For all its flaws, the CVSS score provides something for organizations to look at and make a decision on.

    I think the author’s response to CISA’s activities is also telling. I want to highlight a couple things, specifically around that:

    The curl project is a CNA, which means that we reserve and publish our own CVE Ids to the CVE database. There is no middle man interfering and in fact no one else can file curl CVE entries anymore without our knowledge and us having a saying about it.
    The main thing they [CISA} seem to detect and help “fix” is the lack of CVSS in published CVE entries. Like every single curl CVE because we don’t participate in the CVSS dance.
    CISA had decided that CVE-2024-11053 should be earned a CVSS 9.1 score.
    The curl security team had set the severity to LOW because of the low risk and special set of circumstances that are a precondition for the problem.
    Once I was made aware of this insane 9.1 score, I took time of my Sunday afternoon with my family and made a pull-request there urging them to at least lower the score to 5.3. That was a score I could get the calculator to tell me.

    The author is already doing the work to examine and classify vulnerabilities. However, instead of accepting a flawed system as part of a larger community, they have opted out and tried to be a special snowflake. That the author “took time of my Sunday afternoon with my family…” is his own damn fault. If the author had taken the time, up front, to fill in something in the CVSS score, there would not have been a gap for CISA to fill. And yes, the number could be wildly inaccurate. No system is perfect. But, give some indication to the wider community of the relative severity of the vulnerability, in the system they are using. No one gives a damn about the “but akshuly” prevaricating. We use automated tools to find and prioritize vulnerabilities in our environments, because we have neither the time nor the resources to go our and read up on every vulnerability as thoroughly as we would like. Maybe the author wants to make a new tool for us which goes out to every vendor’s site, reads the vulnerability rankings is whatever format the vendor is using today and then gives relative rankings for all those various versions of scoring. Though, I’m pretty sure that the tool would eventually boil down to the CVSS system, except the way he thinks things should be scored. And it would be wildly inaccurate for some use cases. And we’d be right back here with some other special snowflake “but akshulying” his way out of the system they have setup perfect to be the enemy of good.