undefined | Better HN

0 pointsjascii6y ago0 comments

> CVSS is a ouija metric without any real merit.

Tell that to the hard working folks that define the standard, I'm sure they'll appreciate it..

Like any such metric, CVSS is far from perfect, however, in the real world you are sometimes called upon to express things in a quantitative manner even if they are better expressed in a qualitative manner, for instance when you need to justify security spending in a corporate environment, or in the context of compliance reporting. Do you know of a better tool/standard?

> If companies are going to hype bugs, let it be for stuff like this!

That's a bit like crying wolf though, isn't it? It desensitises people to actual issues and takes focus and funds away from them. This kind of fear based marketing might be useful if your goal is to suck a naive client dry for a year or so, if you are actually trying to make the world a safer place it does more harm then good.

0 comments

tptacek6y ago

Steve Christey? I have. Many times. He's fine with it. (I assume he disagrees! He's wrong!) Sorry, you'll have to find someone else to take vicarious offense for.

CVSS doesn't work, for the reasons I gave, and have given other times on HN; the search bar will help you if you want to dig in.

jasciiOP6y ago

> CVSS doesn't work, for the reasons I gave

You didn't give any reasons. If you want to have a civil discourse, at least try to justify your opinions.

j / k navigate · click thread line to collapse