CVSS is short for Common Vulnerability Scoring System and is according to Wikipedia a technical standard for assessing the severity of vulnerabilities in computing systems. Typically you use an online CVSS calculator, click a few checkboxes and radio buttons and then you magically get a number from 0 to 10. There are also different versions … Continue reading CVSS is dead to us →
Daniel Stenberg says the scores are “security misinformation”.
The scores do fail though - they don’t encompass enough information. They can’t encompass enough information because something that is critical in one sense (e.g., and making shit up here, Java listening to the internet) might not be in another (e.g. Java running on specific scientific data in an airgapped environment). Security is always situation and risk-appetite dependent. No number can encompass all that.
Maybe they should have a combo number would get us closer. But, still, the actual governing body must be completely impartial and logical in their rating. But also, we have to make a reality check on the priority of the rating in our own environments. Using your example, a 10 rating might be a 1 for that airgapped machine—judgement call.
To a degree, he’s right. But it’s not the scores that are failing; it’s the scoring body.
The scores do fail though - they don’t encompass enough information. They can’t encompass enough information because something that is critical in one sense (e.g., and making shit up here, Java listening to the internet) might not be in another (e.g. Java running on specific scientific data in an airgapped environment). Security is always situation and risk-appetite dependent. No number can encompass all that.
Maybe they should have a combo number would get us closer. But, still, the actual governing body must be completely impartial and logical in their rating. But also, we have to make a reality check on the priority of the rating in our own environments. Using your example, a 10 rating might be a 1 for that airgapped machine—judgement call.