[1MachineElf]

Do you have any thoughts on CVSSv4[0]? It appears to incorporate finer-grained and organization-specific scoring to address issues many have with the one size fits all approach currently used for CVEs.

[0] https://www.first.org/cvss/v4-0/

[lars_francke]

This already exists today where you can do custom scoring and some companies (e.g. Red Hat) already do so. CVSSv4 fixes some things, yes, but not the underlying issue which isn't so much a technical challenge (partially, sure) but a shift in policies and thinking.

The current model of "we need to get to 0 vulnerabilities in our scans" will lead to malicious compliance[1] and worse results compared to being able to focus on the few vulnerabilities that are really important. At least that's my very strong opinion.

[1] <https://www.youtube.com/watch?v=9weGi0csBZM>