Re: The task sounds enormous
It is obvious the CVSS is not very valuable
Rubbish. CVSSv3 serves a number of important purposes:
- It encourages various judges (original researchers, PSRT members, secondary researchers investigating CVEs and patches) to examine vulnerabilities from a variety of angles and consider a number of important aspects.
- It provides a measure of consistency in describing and evaluating a number of critical attributes of vulnerabilities, and a shared and well-defined vocabulary for discussing those attributes.
- It provides a multidimensional rating mechanism that, while necessarily simplified, assists in triage and discussion with non-experts.
- It also constitutes an industry-standard representation of those things, so we can avoid duplication and miscommunication among different organizations.
- It gives us a machine-readable representation, amenable to various sorts of automatic processing.
Frankly, I'm rather dubious about the IT-security credentials of anyone who dismisses CVSS. Standardization is critical for industrial scaling and efficiency.