| CVE scoring is parasocial activity. Hence so much drama. Similarly to SemVer, the good-faith grader attempts to convey a sizeable blob of knowledge... by compressing it into a one-dimensional number. No matter the scoring formula, this step is lossy. On the receiving end of this communication, all you can do with the score is add a huge grain of salt to it, then perhaps use to prioritize your review queue. You still must check the details, and work out a judgement tailored to your specific context. There's no other way. There isn't a choice for the grader either, to skip the obscenely lossy scoring step. Just like with release versions, they must do it, as the audience consists of unbounded number of engineers; faithfully doing it saves mountains of time for everyone involved (present and future). Just like with dependency upgrades, it's the consumer's choice to disregard CVE scores (version numbers), vulnDB entries (changelogs), or even existence itself of a vulnerability (upgrade). Likewise, it's their fault if consequences arise. Viewed thusly, can be seen: anecdotes of pointwise drama will continue (even when the bulk of activity chugs along happily, efficiently and quietly) -- because at the core of it, CVE ID's and scores are just that, a communication tool. It mostly can't make strangers exercise care or spend effort more than they're willing to. It can optimise utility of attention that they do pay. |