|
|
|
|
|
|
by jeroenhd
194 days ago
|
|
|
Unfortunately, CVSS scores are gamified hard. Companies pay more money in bug bounty programs, so there's an incentive for bug bounty hunters to talk up the impact of their discovery. Especially the CVSS v3 calculation can produce some unexpected super high or super low scores. While scores are a good way to bring this stuff to people's attention, I wouldn't use them to enforce business processes. There's a good chance your code isn't even affected by this CVE even if your security scanners all go full red alert on this bug. |
|
|
Surprised there isn’t more talk about a solution like this or something and more downplaying CVSS.
Downplaying CVSS alone can smell a little like PR talk even however unintentional.