[whydoyoucare]

I do agree CVSS is abused -- especially on NVD -- where they always compute it with "worst case scenario", lacking context and completely messing it up. However, I think CVSS does bring some merit, notably, 1. Forces one to think while assigning values, which means it is more likely that the score will reflect actual severity in most cases. 2. Sets a common tone -- language -- to understanding vulnerability severity, instead of low, medium, high, critical, super critical, which is even worse.

I don't see any scoring system to incorporate the actual operational context, since that is crucial to understanding the real impact of a security issue. CVSS is an attempt, nevertheless, and if you are careful while calculating it, it does add value.

In our organization, we always re-base a vulnerability to an operational context, which makes the score more meaningful.

[tptacek]

CVSS has the opposite of merit; it actively confuses people. The same vulnerability found by 3 different teams will have 3 wildly different CVSS scores.

Low, medium, high, critical is actually the interpretive scale provided with CVSS! CVSS isn't getting you away from that; it's just giving you micro-gradations of "medium" or "high". But CVSS isn't even reliable to its first significant figure, let alone into the decimals.

[CiPHPerCoder]

Even worse: The CVSS "calculator" on HackerOne and similar platforms.

I have faithfully filled out a CVSS calculator form for small bugs that I'd consider sev:med and it happily declared them as sev:crit.

It's stupid. CVSS just muddies the water and creates the illusion of a measuring stick where there is none.

I don't bother with CVSS, and none of my clients even notice.

Just treat severity as an enum and explain your decision:

  typedef enum sev { info, low, med, high, crit } sev;

If your justification for severity score can fit in a tweet, and be understood by a layman, mission accomplished.

[kerng]

Doesnt that highlight that the problems is not CVSS, but a better quantitative measurement is needed? What other system is there that would let the 3 people agree on something? Security people seem to be the only once that use qualitative measurements and get away with it... because experts.