Not helped by bad scores
We’re setting a spate of CVEs with bloody stupid CVSS scores recently, not helped by bloody stupid bugs that aren’t security issues.
For example, flaws that require physical access to exploit are being marked as exploitable over the network which pushes the score up. Bugs that fail to check a return value during boot are also being marked as network exploitable even though there is no network at the time and no practicable way to exploit the thing anyway.
NVD are unwilling to address this problem so the scores are rapidly becoming useless so we see a lot of people asking for better ways of scoring. I’d settle for NVD accepting their limitations and asking experts for help to score vulns.
It’s exasperating.
Biting the hand that feeds IT
