search menu icon-carat-right cmu-wordmark

CVSS is bad and you should feel bad for using it

Art Manion

Here are two ways to think about vulnerability severity. The first is narrow, strict, technical. Behavior of software, direct, immediate impact. This is a significant part of the thinking behind CVSS, specifically the Base metrics. The second, more realistic (and natural) approach considers context, environment, threat. CVSS Temporal and Environmental metrics. Add asset and loss values to get classical risk assessment.

Both of these lines of thinking can be useful, but it's critical to understand the application.

Heartbleed is a clear illustration of mis-application.

Defenders desperately seek information to prioritize their investments and activities. Such desperation leads to dangerous behavior, like using CVSS. Here are some other ways to think about vulnerability severity.