[altharaz]

Very great article.

At the moment IMHO the major issue comes from that people use only the Basic Score of the CVSS 3.1, issued by the NVD.

Indeed, if you also take the Temporal Score (with CTI feeds for example), and if you add the Environmental Score, then you can have very good results to help prioritizing the vulnerabilities on your assets and reflect the real threat.

I would also like, however, to see the CVSS4 with a "cost to patch" component: in OT environments, CISO like to use the SSVC because it’s the easiest way to say "wait" instead of "patch now". But since SSVC is not really recognized by all auditors, it generates conflicts. Bringing a component in the CVSS to reflect the cost of remediation on very complex devices, where deploying a KB requires to stop a full factory, could help getting the same results (aka "don’t patch now and wait") but with a more respected scoring system.

From my perspective, that’s the only missing component for a good CVSS system :).

[BeefWellington]

> I would also like, however, to see the CVSS4 with a "cost to patch" component: in OT environments, CISO like to use the SSVC because it’s the easiest way to say "wait" instead of "patch now". But since SSVC is not really recognized by all auditors, it generates conflicts. Bringing a component in the CVSS to reflect the cost of remediation on very complex devices, where deploying a KB requires to stop a full factory, could help getting the same results (aka "don’t patch now and wait") but with a more respected scoring system.

The issue with this is that the people who are best suited to score an issue from the reporting perspective won't necessarily have any idea what the cost to patch something actually is. This is why CVSS shouldn't be used as a be-all-and-end-all metric for anything -- there are a lot of factors that don't relate to the vulnerability's relative severity that it does not account for.