Hacker News new | ask | show | jobs
by adricnet 3923 days ago
Okay, so looking over the post they didn't feel like CVSS 2 was giving a clear indication of risk, and CVSS 3 isn't done yet and lacks perfection. That's sensible enough, I suppose.

I hope they took more than a glance at what some other vendors are doing (EG Microsoft) before adding to what can already be a confusing collection of incompatible qualitative ratings :/

As noted by other commenters here a vague description of the category and some idea of the global risk, with a spot for you to add local risk seems a good tool here that serves both attack and defense with some balance. Oh, wait, we have that already in CVSS!

edit: spell acronyms right!
1 comments
tptacek 3923 days ago
I don't know many practicing software security people that put much stock in CVSS. CVSS v2 in particular was not very useful in practice. Further: there aren't many people even in the security industry that have an intuitive feel for how to respond to CVSS scores.

As an exercise, go to the CVSS v2 calculator and score Heartbleed. I bet you end up with something different than I do, and different from the next person to do it.

https://nvd.nist.gov/CVSS-v2-Calculator

Later

I polled my security friends Slack to do Heartbleed on CVSS3. Four different people, four very different scores, and the differences were significant; for instance: some people gave it integrity impact, others didn't. Also: CVSS version 3 remains as inscrutable as ever.

link
tedunangst 3923 days ago
It's very murky whether loss of confidentiality should count as a loss of integrity. Obviously, the answer is almost always yes. If the system coughs up the root password to an exploit, and then you use the root password to rm /, there goes integrity and availability too. But should that be included in the score? Or is that simply a natural consequence that should be understood.

I vote the latter. Otherwise every bug reads like a classic medical waiver: "may result in death!" Severity: 10!

link
tptacek 3922 days ago
I gave Heartbleed no integrity impact.

The funny thing is: bumping up "integrity" from zero to nonzero only gets you from 8.x to 9.x. Which is obviously ridiculous! All things being equal, the difference between RCE (which CVSS can only encode as "integrity") and anything else is night and day.

I really dislike CVSS, and I think I speak for a big chunk of software security when I say that.

link