Reply to post: Re: The logical next step is the two-dimensional risk rating approach

We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?

Michael Wojcik Silver badge

Re: The logical next step is the two-dimensional risk rating approach

CVSSv3 also incorporates a base, temporal, and environmental score. Most outlets don't do a good job of reporting or explaining those.

While publishing the vector isn't useful for human readers (that's not the intended audience), there's nothing to stop someone from providing a concise text explanation.

CVE-2019-xxxx has a CVSSv3 base score of 10 (over the network, easy to attack, no privilege required, no user interaction required; high risk to confidentiality, integrity, and availability).

Obviously there's still some jargon, or at least terms of art, in that, but you don't have to be an IT security expert to understand it.

You left off the temporal and environmental scores in your example vector, so explaining those in plain language is left as an exercise for the reader.

It's all very well for Rogers to say we need a different scoring system and representation, but CVSSv3 does incorporate a threat model, and considering combinations of vulnerabilities quickly falls foul of combinatorial explosion. While he raises some good points, and while theoretical speculation is useful, it won't get us very far until someone has a concrete proposal. I'd say that CVSSv3 does a good job at the function it's intended to perform; that function is valuable; and interpreting combinations of vulnerabilities under richer threat models is the job of human experts, not a mechanical scoring system.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon