|
|
|
|
|
|
by CiPHPerCoder
2447 days ago
|
|
|
Even worse: The CVSS "calculator" on HackerOne and similar platforms. I have faithfully filled out a CVSS calculator form for small bugs that I'd consider sev:med and it happily declared them as sev:crit. It's stupid. CVSS just muddies the water and creates the illusion of a measuring stick where there is none. I don't bother with CVSS, and none of my clients even notice. Just treat severity as an enum and explain your decision: typedef enum sev { info, low, med, high, crit } sev;
If your justification for severity score can fit in a tweet, and be understood by a layman, mission accomplished. |
|
|