[tptacek]

I would be interested in seeing a professional vulnerability researcher of any note jumping in here to make a defense of CVSS. I'd rebut, respectfully, if they did. But I don't expect it to happen, despite that there are plenty of researchers on HN.

I feel like I'm on reasonably safe ground when I say that my take on CVSS is a mainstream one in the field.

[some_furry]

I've only seen CVSS used by vendors to declare a lower severity rating than is warranted by an earnest understanding of a bug, and bug bounty hunters to do the opposite.

For example, what does Network vs Local vs Physical mean if it's an exploit in a cloud microservice?

Ooh let me consult the tea leaves. What's that? They consider it "Network" even though it's S3 mounted locally as a filesystem? Now that sev:med looks like a sev:crit.

The known alternative to CVSS is to rate severity levels entirely on vibes, and I find vibes to be more accurate.

[worthless-trash]

Maybe you've had bad experiences with some vendors doing analysis however it i documented here: https://www.first.org/cvss/v3.0/user-guide

> Network vs Local vs Physical

Network: It has to traverse the network stack. Adjacent: On the same physical network link, (usually this means the ability to send packets that are lower level than TCP/IP). Local: ability to execute code on the local machine as the starting point. Physical: You need to be able to touch the machine.

I'll be the first to admit that it can be difficult for some new players to correctly score their system. The "AV" refers to the attackers perspective, not how the software is used, this is a common mistake that quite a lot of vendors make.

[some_furry]

> Maybe you've had bad experiences with some vendors doing analysis however

I've been on both sides of bug bounty programs over the years.

I've been in corporate meetings where CVSS was summoned to downgrade the severity of high-sev security bugs, when the standard procedure wasn't to use CVSS at all.

I've published my fair share of security bugs.

Hell, I've even talked extensively with Steve Coley about how CVE and CWE intersect with my own experience doing security research.

And that's just some of the stuff I've done under this handle.

My experience with CVSS has consistently shown it to be misused.

Maybe you have enough discipline to use CVSS as it was intended by its designers. The rest of the world does not, by and large.

The main problem with the CVSS is that it's a one-dimensional numeric scale that's meant to measure the kind of complexity that warrants a formal threat model, not a 0-10 rating.

[tptacek]

I agree strongly. sev:{info,lo,med,hi,crit}. All you really need.

[tsujamin]

How do you calculate that? How does the fact it’s an over-the-internet vs. network adjacent only exploitable? This is what CVSS is good for when applied accurately

[tptacek]

The fact that every competent organization has slightly different brackets for those levels is only one of the many reasons why CVSS is a joke.

[tsujamin]

CVSS has consistent rules, but yeah then incentives that make people ignore particular rules (vulnerability chaining being the one that I’ve seen before) makes the public scores questionable sometimes. Still it’s a useful, if imperfect, tool in our industry I think.

[_tk_]

Take a look at FIRST‘s FAQ wrt Supplemental Metrics.

It’s so complicated you have to have a degree in CVSS to properly rate a vuln and it’s also highly subjective - which they want it to be.

[1]: https://www.first.org/cvss/v4.0/faq

[tptacek]

No, CVSS does not have consistent rules. Even people who support CVSS don't claim it's consistent. It's deliberately designed so that organizations can make it say what they want/need it to.

[tsujamin]

Can’t speak for others, but I’m talking from some experience here triaging and reporting fwiw. Not that I’m notable :)

[_tk_]

I guess it depends on what field you are talking about. I'd say that the typical scores on CVEs can be helpful indicators, but that's really it. I'd agree with you, that everyone(?) in the field knows, that all players game the systems, e.g. Microsoft every patch Tuesday, or someone with a cool name for a vuln and a blog.