Reply to post: Borderline meaningless

We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?

Claptrap314 Silver badge

Borderline meaningless

NO one who has spent any time thinking about this issue uses CVE scores as anything other than a rank order in evaluating bugs that came in overnight. I've never gone to management and said, "Boss, we have to get on this one--it's a CVE 7!" or 8 or 9 or 10. If a point upgrade of the associated libraries is not enough, you evaluate the vuln in the context of your business, and, depending on how much process is needed, present the case to manglement about the actual threats the business faces relative to the known vulnerabilities in the system.

And while I'm in a bad mood, why are people talking about vuln chaining? Maybe it's a civilian mindset that I miss, but you infiltrate the same way you build--one step at a time. This has always been the case. Again, I've never said, "Oh, it's just a privilege escalation bug", or "Oh, it's just a unauthorized access issue." Every vuln in your system is a stepping stone to the next (potentially currently unknown) bigger vuln.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon