|
|
|
|
|
|
by enzanki_ars
1095 days ago
|
|
|
The problem is the CVE score do work in most cases. A lot of organizations still prioritize updates based on their CVE score, and don't bother with updating unless it meets a certain threshold. If it doesn't meet that threshold, then they wait until their monthly patching cycle, or don't even bother updating ever at all. Until that culture is fixed/adjusted, having a scoring mechanism that is easy enough for manager/executive type people to easily understand risk without any technical knowledge is important. Way easier to argue for an emergency patch/downtime that could cost money when there is a big scary 9 associated with it. And so if the scoring is off and not accurately representing risk, let's work to improve those scores, rather than getting rid of them. Plus, there is a reason environmental scores exist in the CVSS mechanizm, as it allows for folks to adjust the CVE number to better fit their environment and specifications. I'd personally rather see more CVEs appear and be tracked quickly for easier referencing and discussing, with a slightly adjusted formula to better reflect severity. |
|
|
That doesn't mean it works; that could just mean organizations either a) don't understand the actual severity of their own vulnerabilities, and prioritize fixes based on an incorrect metric; or b) recognize that the CVE score is garbage, but don't want to appear to their users as ignoring or de-prioritizing supposedly-severe issues.
Neither one of these options is good!