[tptacek]

CVSS has the opposite of merit; it actively confuses people. The same vulnerability found by 3 different teams will have 3 wildly different CVSS scores.

Low, medium, high, critical is actually the interpretive scale provided with CVSS! CVSS isn't getting you away from that; it's just giving you micro-gradations of "medium" or "high". But CVSS isn't even reliable to its first significant figure, let alone into the decimals.

[CiPHPerCoder]

Even worse: The CVSS "calculator" on HackerOne and similar platforms.

I have faithfully filled out a CVSS calculator form for small bugs that I'd consider sev:med and it happily declared them as sev:crit.

It's stupid. CVSS just muddies the water and creates the illusion of a measuring stick where there is none.

I don't bother with CVSS, and none of my clients even notice.

Just treat severity as an enum and explain your decision:

  typedef enum sev { info, low, med, high, crit } sev;

If your justification for severity score can fit in a tweet, and be understood by a layman, mission accomplished.

[kerng]

Doesnt that highlight that the problems is not CVSS, but a better quantitative measurement is needed? What other system is there that would let the 3 people agree on something? Security people seem to be the only once that use qualitative measurements and get away with it... because experts.