[tptacek]

I don't know many practicing software security people that put much stock in CVSS. CVSS v2 in particular was not very useful in practice. Further: there aren't many people even in the security industry that have an intuitive feel for how to respond to CVSS scores.

As an exercise, go to the CVSS v2 calculator and score Heartbleed. I bet you end up with something different than I do, and different from the next person to do it.

https://nvd.nist.gov/CVSS-v2-Calculator

Later

I polled my security friends Slack to do Heartbleed on CVSS3. Four different people, four very different scores, and the differences were significant; for instance: some people gave it integrity impact, others didn't. Also: CVSS version 3 remains as inscrutable as ever.

[tedunangst]

It's very murky whether loss of confidentiality should count as a loss of integrity. Obviously, the answer is almost always yes. If the system coughs up the root password to an exploit, and then you use the root password to rm /, there goes integrity and availability too. But should that be included in the score? Or is that simply a natural consequence that should be understood.

I vote the latter. Otherwise every bug reads like a classic medical waiver: "may result in death!" Severity: 10!

[tptacek]

I gave Heartbleed no integrity impact.

The funny thing is: bumping up "integrity" from zero to nonzero only gets you from 8.x to 9.x. Which is obviously ridiculous! All things being equal, the difference between RCE (which CVSS can only encode as "integrity") and anything else is night and day.

I really dislike CVSS, and I think I speak for a big chunk of software security when I say that.