In general, I'm not a fan of vulnerability quantification efforts like CVSS.<p>The reason is that they provide the appearance of repeatability and objectivity when, in reality, many of the assessments used are subjective and opinion based.<p>A simple "critical", "high", "medium", "low" will generally provide enough actionable information without pretending to be something it's not.<p>For examples of the weaknesses of CVSS, you only have to look at the software that uses it like Vulnerability scanners.<p>In many cases they have different ratings for the same issue and also have ratings which are nonsensical<p>here's one example.<p>Telnet (totally unencrypted protocol) CVSS v2 5.8 <a href="https://www.tenable.com/plugins/nessus/42263" rel="nofollow">https://www.tenable.com/plugins/nessus/42263</a><p>SSL Self signed cert CVSS v2 6.4 <a href="https://www.tenable.com/plugins/nessus/57582" rel="nofollow">https://www.tenable.com/plugins/nessus/57582</a><p>So using an unencrypted protocol is worse than an encrypted one with a self-signed cert. (and before anyone says "ah that could be because people mis-place trust in the cert", that's not a factor in CVSS calcs) yet the unencrypted protocol scores lower.
Once upon a time I wrote a CVSS 2/3 library for Python[1] (more have appeared now, this[2] looks nicer).<p>CVSS is really complex and seemingly arbitrary. Take a look at this (rather horrible) code to calculate a CVSS score from another library[3]. Yes, the code is disgusting, but even if you abstract it away nicely it boils down to: do some maths with some arbitrary numbers[4], then perform a bunch of conditions, and you (hopefully) get 3 numbers spat out.<p>I don't like it. There are bugs in the 'official' calculator around floating point numbers, the spec had several typos in the calculations (one being an extraneous negative symbol!) and the naming system for the components is needlessly complex.<p>There are surely simpler, less magical ways to score, compare and rate vulnerabilities?<p>1. <a href="https://github.com/ctxis/cvsslib" rel="nofollow">https://github.com/ctxis/cvsslib</a><p>2. <a href="https://github.com/skontar/cvss" rel="nofollow">https://github.com/skontar/cvss</a><p>3. <a href="https://github.com/toolswatch/pycvss3/blob/master/lib/pycvss3.py#L32" rel="nofollow">https://github.com/toolswatch/pycvss3/blob/master/lib/pycvss...</a><p>4. <a href="https://www.first.org/cvss/specification-document#7-1-Base-Metrics-Equations" rel="nofollow">https://www.first.org/cvss/specification-document#7-1-Base-M...</a>
I don't know any real software security person who takes CVSS seriously. It's mostly a Ouija Board you use to rationalize setting finding severities where you want them (high if you're on offense, low if you're on defense).<p>The other useful function of CVSS is to flag people you shouldn't take seriously in the industry. So, for instance, Kevin Mitnick runs a "zero-day vulnerability brokerage" that only accepts zero-days past a threshold CVSS. That's a pretty decent clue about the legitimacy of the service.<p>Don't waste time with CVSS.