Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I understand what you’re saying and generally agree. We get incoming bug bounty reports like “drop everything, here’s a 9.8 you need to fix right now!” that turns out be a misunderstanding.

But in the case where multiple vendors have scores like:

- Amazon: Important (https://alas.aws.amazon.com/AL2/ALAS-2021-1619.html)

- Ubuntu: 9.8 (https://ubuntu.com/security/CVE-2021-27135)

- Red Hat: 9.6 (https://access.redhat.com/security/cve/CVE-2021-27135)

…it starts to look like there’s consensus that not only is there an RCE, but it’s really easy to exploit. I think that’s where CVSS starts to come in handy. An RCE is bad, but one that’s trivial to actually use is extra bad. And yes, CVSS absolutely has some Ouija properties, but it’s the most commonly used metric I’ve seen for communicating how bad a vulnerability actually is. In this case, it wasn’t just the reporter who said it was bad but all the affected vendors agreeing with them.



Ubuntu is just taking the score from NVD. Redhat has applied the first Ouija input to it, adjusting it to "user interaction required". That changed the score from a 9.8 --- 0.2 points from the maximum possible CVSS score --- all the way down to... 9.6.

I can't think of a better illustration of how bad CVSS is.

Once again: my point isn't that the vulnerability is unimportant (though: it's not nearly as important as it likely seems) or that it doesn't belong on the HN front page (it is a very, very funny vulnerability). It's simply that we should not be editorializing CVSS scores into titles, or taking CVSS scores seriously when they occur organically in titles.

CVSS is very, very bad. It is the CISSP of security metrics.


That ending made me LOL. Well phrased.


I had to look it up: Certified Information Systems Security Professional




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: