Reply to post:

We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?

Anonymous Coward
Anonymous Coward

CVSS has flaws for sure but it’s easy to say it sucks but not offer a better solution. For me, I find the subscores/vectors very useful as I combine them with Threat, business and technical impact and internal controls in a heavily modified version of owasp risk rating that is more contextual and useful than Tenable or Kenna Prioritization alone. For instance, I’m classifying assets and business drivers or other risk indicators like safety and grid reliability to drive this logic. You can’t do that with a generic prioritization score. Check out Fortress Information Security and you will be pleasantly surprised. or you can always visit owasp and roll your own.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon