Reply to post: Can't say that I agree at all

We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?


Can't say that I agree at all

The point of the scoring system is to draw attention to the bloody obvious. In general it works for reasons already stated in the comments. Because it is simple enough to understand.If your organization actually takes risk management seriously, it has in-house staff to do the the scoring in the context of how it affects the organization. Risk and threat modeling is not something I would expect someone outside my organization to understand as far as it applies to my organization because they lack the information to do so. I would not expect any agency or a third party organization to do a valid scoring for my organization as a general rule (auditing etc not included). They can't and even if they could it would not scale to try and keep such a vast library up to date. The simplicity scales.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon