The question is not whether it is a bad metric, but whether it is a useful
one.
As a lurker on the first.org mailing list for CVSSv3 SIG, I can assure you
that there are a lot of discussions about edge cases etc. v3 is a
meaningful improvement over v2. So far, CVSS has allowed industry broadly
to
Hi Dave,
I participate on the CVSS SIG being ran out of FIRST that is working on
improvements to CVSS. So do a number of people out of CERT CC, NIST, MITRE
along with a good representation of industry. A number of us provided feedback
on this paper. CVSS is for scoring the severity of a
> They use a ton of big words in the paper to call CVSS out and give it a
> shellacking. Like most of you, we have extensive use of CVSS in our
> consulting practice and I've seen this stuff first hand. CVSS is of course
> just a buggy compression algorithm for taking complex qualitative data
I wanted to take a few minutes and do a quick highlight of a paper from
CMU-CERT which I think most people have missed out on:
https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_538372.pdf
Towards Improving CVSS -