undefined | Better HN

0 pointstsujamin2y ago0 comments

CVSS as practiced sucks sometimes, the rules around not chaining vulnerabilities to up a score are rarely followed, but as specified it’s actually a good system.

Undercutting my own point though, it doesn’t hurt to rerun a calculation if you think the public vectors is “lacking” or if temporal/environmental metrics matter in your context

0 comments

6 comments · 1 top-level

tptacek2y ago· 5 in thread

I would be interested in seeing a professional vulnerability researcher of any note jumping in here to make a defense of CVSS. I'd rebut, respectfully, if they did. But I don't expect it to happen, despite that there are plenty of researchers on HN.

I feel like I'm on reasonably safe ground when I say that my take on CVSS is a mainstream one in the field.

some_furry2y ago

I've only seen CVSS used by vendors to declare a lower severity rating than is warranted by an earnest understanding of a bug, and bug bounty hunters to do the opposite.

For example, what does Network vs Local vs Physical mean if it's an exploit in a cloud microservice?

Ooh let me consult the tea leaves. What's that? They consider it "Network" even though it's S3 mounted locally as a filesystem? Now that sev:med looks like a sev:crit.

The known alternative to CVSS is to rate severity levels entirely on vibes, and I find vibes to be more accurate.

worthless-trash2y ago

Maybe you've had bad experiences with some vendors doing analysis however it i documented here: https://www.first.org/cvss/v3.0/user-guide

> Network vs Local vs Physical

Network: It has to traverse the network stack. Adjacent: On the same physical network link, (usually this means the ability to send packets that are lower level than TCP/IP). Local: ability to execute code on the local machine as the starting point. Physical: You need to be able to touch the machine.

I'll be the first to admit that it can be difficult for some new players to correctly score their system. The "AV" refers to the attackers perspective, not how the software is used, this is a common mistake that quite a lot of vendors make.

1 more reply

tptacek2y ago

I agree strongly. sev:{info,lo,med,hi,crit}. All you really need.

1 more reply

tsujaminOP2y ago

Can’t speak for others, but I’m talking from some experience here triaging and reporting fwiw. Not that I’m notable :)

_tk_2y ago

I guess it depends on what field you are talking about. I'd say that the typical scores on CVEs can be helpful indicators, but that's really it. I'd agree with you, that everyone(?) in the field knows, that all players game the systems, e.g. Microsoft every patch Tuesday, or someone with a cool name for a vuln and a blog.

j / k navigate · click thread line to collapse

0 comments

6 comments · 1 top-level

tptacek2y ago· 5 in thread

I feel like I'm on reasonably safe ground when I say that my take on CVSS is a mainstream one in the field.

some_furry2y ago

I've only seen CVSS used by vendors to declare a lower severity rating than is warranted by an earnest understanding of a bug, and bug bounty hunters to do the opposite.

For example, what does Network vs Local vs Physical mean if it's an exploit in a cloud microservice?

Ooh let me consult the tea leaves. What's that? They consider it "Network" even though it's S3 mounted locally as a filesystem? Now that sev:med looks like a sev:crit.

The known alternative to CVSS is to rate severity levels entirely on vibes, and I find vibes to be more accurate.

worthless-trash2y ago

Maybe you've had bad experiences with some vendors doing analysis however it i documented here: https://www.first.org/cvss/v3.0/user-guide

> Network vs Local vs Physical

1 more reply

tptacek2y ago

I agree strongly. sev:{info,lo,med,hi,crit}. All you really need.

1 more reply

tsujaminOP2y ago

Can’t speak for others, but I’m talking from some experience here triaging and reporting fwiw. Not that I’m notable :)

_tk_2y ago

j / k navigate · click thread line to collapse