|
|
|
|
|
|
by tedunangst
3923 days ago
|
|
|
It's very murky whether loss of confidentiality should count as a loss of integrity. Obviously, the answer is almost always yes. If the system coughs up the root password to an exploit, and then you use the root password to rm /, there goes integrity and availability too. But should that be included in the score? Or is that simply a natural consequence that should be understood. I vote the latter. Otherwise every bug reads like a classic medical waiver: "may result in death!" Severity: 10! |
|
|
The funny thing is: bumping up "integrity" from zero to nonzero only gets you from 8.x to 9.x. Which is obviously ridiculous! All things being equal, the difference between RCE (which CVSS can only encode as "integrity") and anything else is night and day.
I really dislike CVSS, and I think I speak for a big chunk of software security when I say that.