|
|
|
|
|
|
by worthless-trash
841 days ago
|
|
|
Maybe you've had bad experiences with some vendors doing analysis however it i documented here: https://www.first.org/cvss/v3.0/user-guide > Network vs Local vs Physical Network: It has to traverse the network stack.
Adjacent: On the same physical network link, (usually this means the ability to send packets that are lower level than TCP/IP).
Local: ability to execute code on the local machine as the starting point.
Physical: You need to be able to touch the machine. I'll be the first to admit that it can be difficult for some new players to correctly score their system. The "AV" refers to the attackers perspective, not how the software is used, this is a common mistake that quite a lot of vendors make. |
|
|
I've been on both sides of bug bounty programs over the years.
I've been in corporate meetings where CVSS was summoned to downgrade the severity of high-sev security bugs, when the standard procedure wasn't to use CVSS at all.
I've published my fair share of security bugs.
Hell, I've even talked extensively with Steve Coley about how CVE and CWE intersect with my own experience doing security research.
And that's just some of the stuff I've done under this handle.
My experience with CVSS has consistently shown it to be misused.
Maybe you have enough discipline to use CVSS as it was intended by its designers. The rest of the world does not, by and large.
The main problem with the CVSS is that it's a one-dimensional numeric scale that's meant to measure the kind of complexity that warrants a formal threat model, not a 0-10 rating.