Reply to post: The task sounds enormous

We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?

Pascal Monett Silver badge

The task sounds enormous

So, two low-scoring vulns could be combined into one big problem. Sure, theoretically, but how do you evaluate just how many low-scoring things can be combined and in what way, before you can rate all of them properly ?

Security is always in hindsight. We know to look out for privilege escalation issues because some hacker one day taught us that it worked. We have a body of knowledge today that is certainly impressive, and it will be one hell of a task to knit all that knowledge together to create a proper rating system, but there is no such thing as automating the risk evaluation - it has to be analyzed by a human. Humans don't know everything, and are rather bad at taking into account hundreds of parameters at once.

It is obvious the CVSS is not very valuable, but crafting a good replacement is going to be a massive headache. And yet, it should definitely be done. Good luck with that, then.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon