Reply to post: Re: The task sounds enormous

We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?

Michael Wojcik Silver badge

Re: The task sounds enormous

It is obvious the CVSS is not very valuable

Rubbish. CVSSv3 serves a number of important purposes:

- It encourages various judges (original researchers, PSRT members, secondary researchers investigating CVEs and patches) to examine vulnerabilities from a variety of angles and consider a number of important aspects.

- It provides a measure of consistency in describing and evaluating a number of critical attributes of vulnerabilities, and a shared and well-defined vocabulary for discussing those attributes.

- It provides a multidimensional rating mechanism that, while necessarily simplified, assists in triage and discussion with non-experts.

- It also constitutes an industry-standard representation of those things, so we can avoid duplication and miscommunication among different organizations.

- It gives us a machine-readable representation, amenable to various sorts of automatic processing.

Frankly, I'm rather dubious about the IT-security credentials of anyone who dismisses CVSS. Standardization is critical for industrial scaling and efficiency.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon