| > Maybe you've had bad experiences with some vendors doing analysis however I've been on both sides of bug bounty programs over the years. I've been in corporate meetings where CVSS was summoned to downgrade the severity of high-sev security bugs, when the standard procedure wasn't to use CVSS at all. I've published my fair share of security bugs. Hell, I've even talked extensively with Steve Coley about how CVE and CWE intersect with my own experience doing security research. And that's just some of the stuff I've done under this handle. My experience with CVSS has consistently shown it to be misused. Maybe you have enough discipline to use CVSS as it was intended by its designers. The rest of the world does not, by and large. The main problem with the CVSS is that it's a one-dimensional numeric scale that's meant to measure the kind of complexity that warrants a formal threat model, not a 0-10 rating. |