CVSS is bad and you should feel bad for using it
Here are two ways to think about vulnerability severity. The first is narrow, strict, technical. Behavior of software, direct, immediate impact. This is a significant part of the thinking behind CVSS, specifically the Base metrics. The second, more realistic (and natural) approach considers context, environment, threat. CVSS Temporal and Environmental metrics. Add asset and loss values to get classical risk assessment.
Both of these lines of thinking can be useful, but it's critical to understand the application.
Heartbleed is a clear illustration of mis-application.
Defenders desperately seek information to prioritize their investments and activities. Such desperation leads to dangerous behavior, like using CVSS. Here are some other ways to think about vulnerability severity.
More By The Author
Comments on Voluntary Voting System Guidelines 2.0 Principles and Guidelines
More In CERT/CC Vulnerabilities
The Latest Work from the SEI: Coordinated Vulnerability Disclosure, Cybersecurity Research, Cyber Risk and Resilience, and the Importance of Fostering Diversity in Software Engineering
This post has been shared 0 times.
Get updates on our latest work.
Sign up to have the latest post sent to your inbox weekly.