|
|
|
|
|
|
by tptacek
1106 days ago
|
|
|
They do not work in most cases. They provide psychological comfort to enterprise IT teams, but so would a literal Ouija board, as long as you hid it from the people using them. Obviously, the "environmental score" component of a CVSS is an admission that the whole system is intellectually bankrupt. I'd be interested if you could find a serious vulnerability researcher (say, anyone who has given a Black Hat talk or submitted a Usenix WOOT paper) who'd be willing to defend CVSS. My perception as an (erstwhile) practitioner is that CVSS is sort of an industrywide joke. |
|
|