Unfortunately, CVSS scores are gamified hard. Companies pay more money in bug bo... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jeroenhd 43 days ago \| parent \| context \| favorite \| on: RCE Vulnerability in React and Next.js Unfortunately, CVSS scores are gamified hard. Companies pay more money in bug bounty programs, so there's an incentive for bug bounty hunters to talk up the impact of their discovery. Especially the CVSS v3 calculation can produce some unexpected super high or super low scores. While scores are a good way to bring this stuff to people's attention, I wouldn't use them to enforce business processes. There's a good chance your code isn't even affected by this CVE even if your security scanners all go full red alert on this bug.

j45 43 days ago [–]

It’s possible to create a scoring system based on actual root cause analysis and impact scores.

Surprised there isn’t more talk about a solution like this or something and more downplaying CVSS.

Downplaying CVSS alone can smell a little like PR talk even however unintentional.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact