[tptacek]

I agree strongly. sev:{info,lo,med,hi,crit}. All you really need.

[tsujamin]

How do you calculate that? How does the fact it’s an over-the-internet vs. network adjacent only exploitable? This is what CVSS is good for when applied accurately

[tptacek]

The fact that every competent organization has slightly different brackets for those levels is only one of the many reasons why CVSS is a joke.

[tsujamin]

CVSS has consistent rules, but yeah then incentives that make people ignore particular rules (vulnerability chaining being the one that I’ve seen before) makes the public scores questionable sometimes. Still it’s a useful, if imperfect, tool in our industry I think.

[_tk_]

Take a look at FIRST‘s FAQ wrt Supplemental Metrics.

It’s so complicated you have to have a degree in CVSS to properly rate a vuln and it’s also highly subjective - which they want it to be.

[1]: https://www.first.org/cvss/v4.0/faq

[tptacek]

No, CVSS does not have consistent rules. Even people who support CVSS don't claim it's consistent. It's deliberately designed so that organizations can make it say what they want/need it to.