Infosec pros: We need CVSS, warts and all | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cvss-criticism-cve-nvd-nist-epss\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Infosec pros: We need CVSS, warts and all\"> <meta property=\"og:description\" content=\"The Common Vulnerability Scoring System has a lot of critics, but experts say it\u2019s still the best unified way to share the severity of cybersecurity flaws.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cvss-criticism-cve-nvd-nist-epss\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-02-05T16:04:59+00:00\"> <meta property=\"article:modified_time\" content=\"2025-02-05T16:05:02+00:00\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-4.jpg\"> <meta name=\"twitter:creator\" content=\"@gregotto\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1736472017g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1738186663g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=811a4fffdf449a472805\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83398\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83398\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcvss-criticism-cve-nvd-nist-epss%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcvss-criticism-cve-nvd-nist-epss%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83398 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cvss-criticism-cve-nvd-nist-epss\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.071428571429\">\n<div class=\"single-article__header-content\" readability=\"34.259259259259\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/cvss-criticism-cve-nvd-nist-epss\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> The Common Vulnerability Scoring System has a lot of critics, but experts say it\u2019s still the best unified way to share the severity of cybersecurity flaws. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83398\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-4.jpg 4800w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-4.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-4.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-4.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-4.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-4.jpg?resize=2048,1152 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-4.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-4.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-4.jpg?resize=1500,843 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"109.04813330727\"><body readability=\"219.34573238162\"><\/p>\n<p>A key pillar of a strong cybersecurity program is identifying vulnerabilities in the complex mix of software programs, packages, apps, and snippets driving all activities across an organization\u2019s digital infrastructure.<\/p>\n<p>At the heart of spotting and fixing these flaws is the widely used Common Vulnerability Scoring System (CVSS), maintained by a nonprofit called the Forum of Incident Response and Security Teams (FIRST). CVSS is currently in its <a href=\"https:\/\/www.first.org\/cvss\/calculator\/4.0\">fourth iteration<\/a> since its launch in 2005.<\/p>\n<p>Although it\u2019s the most common indicator of a vulnerability\u2019s danger levels, CVSS has long been subject to a host of criticisms, with periodic appeals from software providers and security researchers to jettison the system altogether and start anew. However, after another round of criticism sparked conversation across the industry, experts say the criticisms are mostly unwarranted. Experts that spoke with CyberScoop advocated for staying the course with a system that, while imperfect, still provides valuable metrics that defenders need for quickly grasping the overall severity of vulnerabilities.<\/p>\n<p>The CVSS score is \u201ca way of capturing the properties of vulnerabilities in a systematic way,\u201d said Sasha Romanosky, a senior policy researcher at the Rand Corporation who worked on the creation of the CVSS system 20 years ago. \u201cWhen you talk about a vulnerability being exploited, there are different sort of ways and features about vulnerabilities that allow that to happen. The original question was, OK, let\u2019s enumerate those different ways and consequences.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<h4 class=\"wp-block-heading\" id=\"h-is-cvss-getting-swept-up-in-nist-or-nvd-woes\">Is CVSS getting swept up in NIST or NVD woes?<\/h4>\n<p>CVSS scores, along with the vulnerabilities themselves \u2014 referred to as CVEs (Common Vulnerabilities and Exposures) \u2014 are reported by CVE Numbering Authorities (CNAs). This information is published in two major databases widely used by cybersecurity defenders. CVSS scores can reach as high as 10.0 for the most critical vulnerabilities that organizations need to address urgently. <\/p>\n<p>The first and higher-profile database is the <a href=\"https:\/\/nvd.nist.gov\/\">National Vulnerability Database<\/a> (NVD), maintained by the National Institute of Standards and Technology (NIST). The <a href=\"https:\/\/cve.mitre.org\/\">other database<\/a> is maintained by the MITRE Corporation, a federally funded R&D center.<\/p>\n<p>The NVD has <a href=\"https:\/\/cyberscoop.com\/plan-to-resuscitate-beleaguered-vulnerability-database-draws-criticism\/\">sparked<\/a> many complaints over the years, particularly after a recent funding shortfall created a backlog in NVD\u2019s <a href=\"https:\/\/cve.icu\/CVEGrowth.html\">cataloging<\/a> of up to 40,000 CVEs per year. The virtual standstill was so significant that the Cybersecurity and Infrastructure Security Agency (CISA) helped NIST with what it calls a \u201c<a href=\"https:\/\/github.com\/cisagov\/vulnrichment\">vulnrichment<\/a>\u201d project.<\/p>\n<p>Some experts say the troubles surrounding the NVD have caused a negative spillover onto CVSS.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cIt\u2019s not CVSS they\u2019re complaining about,\u201d said Pete Allor, senior director of Red Hat. \u201cBefore losing their funding, they only had 11 analysts and were looking across 20,000 to 40,000 issues per year.\u201d<\/p>\n<p>As a consequence, NIST is scoring vulnerabilities based on limited knowledge, and, to be on the safe side, \u201cthey\u2019re going for everything globally at its worst case,\u201d Allor said. \u201cNow people take that as, \u2018it\u2019s the national vulnerability database underneath NIST, so they should know.\u2019 Well, the problem is they don\u2019t. Then, regulators and auditors take that as a blanket score. \u2018Oh, you have to be above this level and fix all of them.\u2019 And that\u2019s where the complaint comes from. It\u2019s not that CVSS is bad; it\u2019s the blind faith that someone\u2019s CVSS score is immutable for everything.\u201d<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-cvss-might-be-too-complicated-and-yet-imprecise\">CVSS might be too complicated and yet imprecise<\/h4>\n<p>Not all experts think the issues with CVSS are byproducts of NVD\u2019s woes. Some point to its foundation in quantitative analysis that has, from time to time, led to confusion and misinterpretation.<\/p>\n<p>Critics say, \u201c\u2018Look, the equations that you use don\u2019t make any sense to me,\u2019\u201d Romanosky said. \u201c\u2019I don\u2019t understand how you got them. This numbering that you have is sort of useless, irrelevant, distracting, unhelpful, you name it.\u2019 That\u2019s fine. And that kind of problem would exist no matter what; whenever you go from qualitative values to something numerical, you always have some conversion, and that will always be imperfect.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Robert Fox, a CIO, CISO and CTO consultant, said the \u201cone-off type of scoring\u201d with CVSS makes some things especially \u201cunclear.\u201d<\/p>\n<p>\u201cIt\u2019s static,\u201d he said. \u201cIt doesn\u2019t take into account various other types of components in there to make it useful because a high score on the CVSS scale is not necessarily an imminent threat that needs to be addressed or patched.\u201d<\/p>\n<p>Jeff Williams, co-founder and CTO of Contrast Security, said there\u2019s a problem with people \u201ctrying to use these risk rating systems for things that they\u2019re not very good at. You see a lot of people in cybersecurity that are quants; they love metrics and data and precision, and even if you\u2019re using one of these systems, I don\u2019t care which one, it\u2019s based on a bunch of factors that someone has to estimate.\u201d<\/p>\n<p>\u201cPeople are looking for these systems to try to solve all those problems,\u201d he continued. \u201cAnd I\u2019m just very practical about this. Let\u2019s put a little work into ballparking the risk and then fix it if it falls into some level of risk we care about. But spending weeks on getting these numbers super precise is just a fool\u2019s errand.\u201d<\/p>\n<p>Still, other experts think that CVSS critics might not understand the system as well as they should. \u201cMost of the issues stem from not understanding what CVSS was designed for and trying to use it as a complete solution,\u201d said Jerry Gamblin, research team lead for Cisco Vulnerability Management. \u201cThe best way to resolve the complaints is to consider CVSS as one of many tools you should use for measuring vulnerability risk.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<h4 class=\"wp-block-heading\" id=\"h-alternatives-or-augmentations-to-cvss\">Alternatives or augmentations to CVSS<\/h4>\n<p>Over the years, several alternatives or augmentations to CVSS have been floated. Most recently, the United Kingdom\u2019s National Cyber Security Centre (NCSC) <a href=\"https:\/\/www.ncsc.gov.uk\/report\/a-method-to-assess-forgivable-vs-unforgivable-vulnerabilities\">released a paper<\/a> extending a <a href=\"https:\/\/cwe.mitre.org\/documents\/unforgivable_vulns\/unforgivable.pdf\">concept developed<\/a> in 2007 by MITRE\u2019s Steve Christie that classifies vulnerabilities into \u201cforgivable,\u201d \u201cunforgivable,\u201d or \u201cunexploitable\u201d based on a range of factors.<\/p>\n<p>The NCSC said the paper \u201cintends to generate discussion with vendors, and is a call on them to work to eradicate vulnerability classes and make the top-level mitigations\u201d easier to implement.<\/p>\n<p>\u201cI will say that rating them based on forgivability can help an organization learn because now you\u2019re looking backward to the root cause,\u201d Williams said. \u201cIt\u2019s not like, \u2018Well, we had a vulnerability, and we should just fix it and stay on this hamster wheel of pain.\u2019 It is, \u2018Let\u2019s look at why did that happen and is it something we can improve our process so that we prevent those vulnerabilities in the future.\u2019\u201d<\/p>\n<p>Still, Williams thinks it\u2019s a weird way of thinking about vulnerabilities.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cIt has nothing to do with whether you should fix it or not, who you blame for it, or whether you should blame someone for it,\u201d he said. \u201cIt\u2019s an odd factor.\u201d<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-epss-entered-the-scene-to-measure-exploitation-likelihood\">EPSS entered the scene to measure exploitation likelihood<\/h4>\n<p>Another system has been developed to fill what some critics have said is missing in CVSS: the ability to gauge how likely a flaw is to be exploited. Also housed under FIRST, this <a href=\"https:\/\/www.first.org\/epss\/\">Exploit Prediction Scoring System (EPSS)<\/a> \u201cis a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild.\u201d<\/p>\n<p>Romanosky, one of the developers of EPSS, said that \u201cthere was a kind of an important awareness a number of years ago that while CVSS may be a good measure of enumerating these features of vulnerability and establishing some number of severity, it wasn\u2019t a good measure of exploitation, meaning it wasn\u2019t always true that the vulnerabilities that scored the highest were those being exploited. For those people who are interested in actual exploitation, what vulnerabilities bad guys are exploiting in the world right now, you can\u2019t use CVSS to help you figure that out. We needed a new mechanism. And from that grew EPSS.\u201d<\/p>\n<p>One of the issues with EPSS is that it is currently not included in the NVD or MITRE databases. \u201cSo, there\u2019s some concern by NIST and maybe others that if they start to adopt it, but then it fails somehow, well, what do they do?\u201d he added. \u201cAnd part of that is just trust in its longevity.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>RedHat\u2019s Allor, who was on the FIRST board when it created the EPSS special interest group (SIG), said that EPSS \u201cis a cool idea.\u201d But, he added, \u201cEPSS has the ability to see certain sectors from certain geographies and concentrates on certain sets of software. It\u2019s very good on Microsoft. It\u2019s really good on Adobe. But you get to routers like Juniper and Cisco and open-source [software], and it doesn\u2019t have visibility. You have to understand it\u2019s a good tool with limitations.\u201d<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-cvss-is-here-to-stay\">CVSS is here to stay<\/h4>\n<p>Despite the search for alternative scoring systems, most experts believe CVSS, which has undergone refinements for over two decades, should continue to be the cornerstone of vulnerability reporting. <\/p>\n<p>\u201cIt\u2019s been 20-some years now since it was first released,\u201d Romanosky said. \u201cIt\u2019s been adopted widely by government standards and commercial standards. It\u2019s an international standard. It\u2019s the de facto way now that people represent the severity of a vulnerability.\u201d<\/p>\n<p>\u201cI recognize it\u2019s imperfect,\u201d he added, \u201cbut I have yet to see anyone in 25, 30 years who has come along with something better.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Cisco\u2019s Gamblin agreed. \u201cI believe every organization should use multiple data sources when prioritizing vulnerabilities in its environment. However, I have yet to see a successful program that does not include the CVSS base score in its vulnerability evaluations.\u201d<\/p>\n<p> <\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.9542253521127\">\n<div class=\"author-card\" readability=\"10\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all.png?w=640&ssl=1\" alt=\"Cynthia Brumfield\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Cynthia Brumfield<\/h4>\n<p> Cynthia Brumfield is a veteran communications and technology analyst who is now focused on<br \/>\ncybersecurity. She runs a cybersecurity news and information site, Metacurity.com. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<div class=\"popular-stories__stories\">\n<div class=\"popular-stories__cards\">\n<article class=\"post-item post-item--popular-stories-cards \" readability=\"23.394329896907\">\n<figure class=\"post-item__thumbnail\"> <a class=\"post-item__thumbnail-link\" href=\"https:\/\/cyberscoop.com\/microsoft-patch-tuesday-january-2025\/\" tabindex=\"-1\"> <img data-recalc-dims=\"1\" loading=\"lazy\" width=\"506\" height=\"337\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-1.jpg?resize=506%2C337&ssl=1\" class=\"attachment-ratio-16-9-md size-ratio-16-9-md wp-post-image\" alt decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-5.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-5.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-5.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-5.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-5.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-5.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-5.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-5.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-5.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-5.jpg?resize=1265,843 1265w\" sizes=\"auto, (max-width: 506px) 100vw, 506px\"> <\/a><figcaption class=\"screen-reader-text\"> Microsoft Romania headquarters in City Gate Towers situated in Free Press Square, in Bucharest, Romania. (Getty Images) <\/figcaption><\/figure>\n<header class=\"post-item__meta\" readability=\"5.7611940298507\">\n<h3 class=\"post-item__title\"> <a class=\"post-item__title-link\" href=\"https:\/\/cyberscoop.com\/microsoft-patch-tuesday-january-2025\/\"> Microsoft fixes 159 vulnerabilities in first Patch Tuesday of 2025 <\/a> <\/h3>\n<p> In its latest security update, Microsoft has addressed a total of 159 vulnerabilities, covering a broad spectrum of the tech giant\u2019s products, including .NET, Visual Studio, Microsoft\u2026 <\/p>\n<div class=\"post-item__byline\"> <span class=\"post-item__author\"> <span>By <\/span> <a class=\"post-item__author-link\" href=\"https:\/\/cyberscoop.com\/author\/greg-otto\/\"> Greg Otto <\/a> <\/span> <\/div>\n<p> <\/header>\n<p> <\/article>\n<article class=\"post-item post-item--popular-stories-cards \">\n<figure class=\"post-item__thumbnail\"> <a class=\"post-item__thumbnail-link\" href=\"https:\/\/cyberscoop.com\/2024-android-security-bulletin-november-qualcomm-fastrpc-driver\/\" tabindex=\"-1\"> <img data-recalc-dims=\"1\" loading=\"lazy\" width=\"252\" height=\"168\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-2.jpg?resize=252%2C168&ssl=1\" class=\"attachment-ratio-16-9-sm size-ratio-16-9-sm wp-post-image\" alt decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-6.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-6.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-6.jpg?resize=768,513 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-6.jpg?resize=1024,684 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-6.jpg?resize=1536,1026 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-6.jpg?resize=600,401 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-6.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-6.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-6.jpg?resize=1011,675 1011w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-6.jpg?resize=1263,843 1263w\" sizes=\"auto, (max-width: 252px) 100vw, 252px\"> <\/a><figcaption class=\"screen-reader-text\"> Screen of smartphone with icons. (Getty Images) <\/figcaption><\/figure>\n<header class=\"post-item__meta\">\n<h3 class=\"post-item__title\"> <a class=\"post-item__title-link\" href=\"https:\/\/cyberscoop.com\/2024-android-security-bulletin-november-qualcomm-fastrpc-driver\/\"> Android warns of Qualcomm exploit in latest security bulletin <\/a> <\/h3>\n<div class=\"post-item__byline\"> <span class=\"post-item__author\"> <span>By <\/span> <a class=\"post-item__author-link\" href=\"https:\/\/cyberscoop.com\/author\/cvasquez\/\"> Christian Vasquez <\/a> <\/span> <\/div>\n<p> <\/header>\n<p> <\/article>\n<article class=\"post-item post-item--popular-stories-cards \">\n<figure class=\"post-item__thumbnail\"> <a class=\"post-item__thumbnail-link\" href=\"https:\/\/cyberscoop.com\/nist-artificial-intelligence-vulnerability-reporting-congress\/\" tabindex=\"-1\"> <img data-recalc-dims=\"1\" loading=\"lazy\" width=\"252\" height=\"168\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-3.jpg?resize=252%2C168&ssl=1\" class=\"attachment-ratio-16-9-sm size-ratio-16-9-sm wp-post-image\" alt decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-7.jpg 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-7.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-7.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-7.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-7.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-7.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/infosec-pros-we-need-cvss-warts-and-all-7.jpg?resize=1012,675 1012w\" sizes=\"auto, (max-width: 252px) 100vw, 252px\"> <\/a><figcaption class=\"screen-reader-text\"> Rep. Deborah Ross, D-N.C., speaks during a press conference in Washington, D.C., on June 3, 2024. Legislation from Ross and two colleagues to add AI systems to the National Vulnerability Database cleared a House panel on Sept. 25, 2024. (Photo by ALLISON BAILEY\/Middle East Images\/AFP via Getty Images) <\/figcaption><\/figure>\n<header class=\"post-item__meta\">\n<h3 class=\"post-item__title\"> <a class=\"post-item__title-link\" href=\"https:\/\/cyberscoop.com\/nist-artificial-intelligence-vulnerability-reporting-congress\/\"> House panel moves bill that adds AI systems to National Vulnerability Database <\/a> <\/h3>\n<div class=\"post-item__byline\"> <span class=\"post-item__author\"> <span>By <\/span> <a class=\"post-item__author-link\" href=\"https:\/\/cyberscoop.com\/author\/derek-johnson\/\"> Derek B. Johnson <\/a> <\/span> <\/div>\n<p> <\/header>\n<p> <\/article>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cvss-criticism-cve-nvd-nist-epss\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Infosec pros: We need CVSS, warts and all | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1765,3669,78,3303,1767,927,256,288,643],"tags":[1770,3670,86,3304,1772,929,262,294,645],"class_list":["post-7212","post","type-post","status-publish","format-standard","hentry","category-cve","category-cvss","category-cybersecurity","category-mitre","category-national-vulnerability-database","category-nist","category-research","category-threats","category-vulnerabilities","tag-cve","tag-cvss","tag-cybersecurity","tag-mitre","tag-national-vulnerability-database","tag-nist","tag-research","tag-threats","tag-vulnerabilities"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cve\/\" rel=\"category tag\">CVE<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cvss\/\" rel=\"category tag\">CVSS<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/mitre\/\" rel=\"category tag\">MITRE<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/national-vulnerability-database\/\" rel=\"category tag\">National Vulnerability Database<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/nist\/\" rel=\"category tag\">NIST<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerabilities\/\" rel=\"category tag\">vulnerabilities<\/a>","tag_info":"vulnerabilities","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7212","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7212"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7212\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7212"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7212"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7212"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7212,"date":"2025-02-05T10:04:59","date_gmt":"2025-02-05T16:04:59","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83398"},"modified":"2025-02-05T10:04:59","modified_gmt":"2025-02-05T16:04:59","slug":"infosec-pros-we-need-cvss-warts-and-all","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/02\/05\/infosec-pros-we-need-cvss-warts-and-all\/","title":{"rendered":"Infosec pros: We need CVSS, warts and all"},"content":{"rendered":"