CVSS has flaws for sure but it’s easy to say it sucks but not offer a better solution. For me, I find the subscores/vectors very useful as I combine them with Threat, business and technical impact and internal controls in a heavily modified version of owasp risk rating that is more contextual and useful than Tenable or Kenna Prioritization alone. For instance, I’m classifying assets and business drivers or other risk indicators like safety and grid reliability to drive this logic. You can’t do that with a generic prioritization score. Check out Fortress Information Security and you will be pleasantly surprised. https://fortressinfosec.com or you can always visit owasp and roll your own.
Biting the hand that feeds IT
