[jsploit]

Sure, some of it is open to interpretation, but I disagree with it not being taken seriously. This is the basis for CVEs, most bounty tables, and most audit reports (that I've seen).

[tptacek]

I'm a practitioner, I've managed bug bounties for several companies, and spent 15 of the last 20 years doing assessment work almost exclusively, and nobody takes CVSS seriously. It doesn't say anything to point out that some people structure "bounty tables" based on CVSS, because, as I said, it's a ouija board; the actual rules for what bugs are worth are still ad hoc, they're just used to determine the CVSS instead of the price directly. And that's not a super common practice!

CVSS scores are put into audit reports --- at the ouiji levels clients want --- to shut up the suits in compliance.

[jsploit]

CVSS being used as a basis for bounty payments is certainly evidence that it is taken seriously. Of course there are details that have to be factored in after that calculation, since CVSS is simplified for general usage.

I'm not aware of any programs on HackerOne that don't follow this practice, so it's not "super uncommon".

[wglb]

I've been in security for a while and once received a report of a CVSS score that was egregiously high at Critical.

I modified the assumptions that were made by the reporter and came out with Low.

This is one example of why this is a nonsense metric.

[jsploit]

Any metric is nonsense if used improperly.

[wglb]

I am arguing that there is no proper way to use this.

[refulgentis]

Any ouija board lies with the wrong seance supervisor