[Sebguer]

That's fair, but it's not really the fault of MITRE / the CVE database, it's the fact that people have been incentivized to submit these. Similar conversations have come up around how NPM handles vulnerability reports, since they treat all vulnerabilities the same, including very low-risk ones like DoS risks that require control of your build pipeline.

The problem is compounded in cases like Log4j where not even the CVE score can be trusted, or in cases you're describing where end-users don't understand CVE itself and only know it in the context of these 'world-ending' vulnerabilities.

[rfd4sgmk8u]

The CVSS score cannot be trusted? How so? I don't see why any of the log4j CVE's 'cant be trusted'?

[Sebguer]

The third CVE arbitrarily had a score of ~7.5 despite requiring a non-standard configuration and only enabling a denial of service attack. The preceding CVE with the same outcome only warranted a 3.5, until it was shown to also potentially allow an RCE. CVSS is honestly pretty open to interpretation, since it's not a particularly objective set of measures.

[rfd4sgmk8u]

Fair enough, I agree with you there. CVSS(v2/v3) can be subjective and can change when new information comes to light.