▲ 8 r/ExploitDev
CVSS scores are a terrible prioritization framework and we're all too comfortable pretending they work
Hot take but CVSS scores have made us lazy.
A critical is a critical is a critical. 9.8 on a library your app doesnt even load goes to the top of the queue, meanwhile the 6.5 that's reachable sits there for 6 weeks cause nobody looked past the score.
We built entire vuln management programs around a number that tells you severity but zero about exploitability. And we act surprised when teams burn out chasing ghosts.
How are yall prioritizing beyond CVSS?
u/Local-Ad1960 — 8 days ago