NVD makes up vulnerability severity levels | daniel.haxx.se
March 6, 2023
CVSS is a shitty system
Anyone who ever gets a problem reported for their project and tries to assess and set a CVSS score will immediately realize what an imperfect, simplified and one-dimensional concept this is.
Source: NVD makes up vulnerability severity levels | daniel.haxx.se
Looks like I'm not the only one constantly irritated by the way security vulnerabilities are rated by third parties. One of the biggest annoyances I have at work is poorly-assessed CVEs turning into a series of customers freaking out over something that does not actually affect them, and the usual culprit is a bad CVSS score.
It's also a big time waster - when Ubuntu's assessment of a CVE disagrees with that of the CVSS score, it forces people to start justifying the assessments, which wastes a bunch of time talking that could've been spent fixing something important, or triaging new issues.
The elephant in this particular room is that the security companies have an obvious business motivation to over-rate CVE danger levels, as it's basically free advertising for their service. It works hand-in-hand with what I like to call "security theater CVEs" - those supposedly-massive issues that invariably have a scary-sounding name and a professionally-designed website describing in excruciating detail the bug, and how Super Genius Computer Engineer(tm), who is named and linked in multiple places on said website, conducted a Sherlock Holmes level investigation, and is now Someone You Should Trust(tm) for your computing security needs. Anything even remotely scary gets milked for every advertising dollar it can, and certainly Github, being part of MS now, has every obvious reason to play this game.
It sucks that Github is shoving this kind of crap down developer's throats, but you can set up your own Gitlab instance pretty easily these days too, so there is another choice. I highly recommend trying it out; once I'd gotten the hang of it, adding one to CC was very easy, and I even have free "on-prem" for my own CI systems.
Categorized as: Linux | Tech | Ubuntu
Leave a Reply