Reply to post: It's not that simple though is it

We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?


It's not that simple though is it

There is value in a simple message. Your out of date software scores a CVSS of 10 therefore "critical" therefore you must fix it.

That's a nice simple message to give to non-technical decision makers.

The nuance around the 'risk' presented from that vulnerability is much harder to articulate. And that is probably best managed by whatever means is most appropriate for the organisation. That doesn't remove the value of the simple scoring mechanism it just puts an onus on security staff and accreditors to use that information properly

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon