It is a tool to have a discussion, not a solution to risk management. Security is one of the few fields that uses qualitative measurements, and any attempt of applying more quantitative techniques faces a lot of resistance.
CVSS in isolation is pretty good, but for risk management it lacks "context". A higher level framework would be needed for that.
A bug can have a CVSS score of 10 (critical), and still have little to no impact to the business. It's all about context.
I don't think it even ever intended to be more then a data point to consider for risk management but dev
CVSS in isolation is pretty good, but for risk management it lacks "context". A higher level framework would be needed for that.
A bug can have a CVSS score of 10 (critical), and still have little to no impact to the business. It's all about context.
I don't think it even ever intended to be more then a data point to consider for risk management but dev