|
|
|
|
|
|
by lars_francke
1005 days ago
|
|
|
This already exists today where you can do custom scoring and some companies (e.g. Red Hat) already do so.
CVSSv4 fixes some things, yes, but not the underlying issue which isn't so much a technical challenge (partially, sure) but a shift in policies and thinking. The current model of "we need to get to 0 vulnerabilities in our scans" will lead to malicious compliance[1] and worse results compared to being able to focus on the few vulnerabilities that are really important.
At least that's my very strong opinion. [1] <https://www.youtube.com/watch?v=9weGi0csBZM> |
|
|