Hacker News new | ask | show | jobs
by tsujamin 841 days ago
How do you calculate that? How does the fact it’s an over-the-internet vs. network adjacent only exploitable? This is what CVSS is good for when applied accurately
1 comments
tptacek 841 days ago
The fact that every competent organization has slightly different brackets for those levels is only one of the many reasons why CVSS is a joke.
link
tsujamin 841 days ago
CVSS has consistent rules, but yeah then incentives that make people ignore particular rules (vulnerability chaining being the one that I’ve seen before) makes the public scores questionable sometimes. Still it’s a useful, if imperfect, tool in our industry I think.
link
_tk_ 840 days ago
Take a look at FIRST‘s FAQ wrt Supplemental Metrics.

It’s so complicated you have to have a degree in CVSS to properly rate a vuln and it’s also highly subjective - which they want it to be.

[1]: https://www.first.org/cvss/v4.0/faq

link
tptacek 841 days ago
No, CVSS does not have consistent rules. Even people who support CVSS don't claim it's consistent. It's deliberately designed so that organizations can make it say what they want/need it to.
link