We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?

Who is "we", Kemosabe?

"We need to come up with a more dynamic process that takes in the CVSS score, but also factors in knowledge from the system."

Those of us in the business have been doing that very thing for decades, usually without bothering with the CVSS score as the superfluous thing that it is. Got anything new to share with us, Rogers?

(Note: I matters not one whit what you tell Management, all they care about is the bottom line. If your solution can turn a profit, you're Golden. If it's a cost center, they will fight it tooth and nail. Turn broken security into a real, not imagined, cost center (with numbers!) and Bob's your Auntie.)

The task sounds enormous

So, two low-scoring vulns could be combined into one big problem. Sure, theoretically, but how do you evaluate just how many low-scoring things can be combined and in what way, before you can rate all of them properly ?

Security is always in hindsight. We know to look out for privilege escalation issues because some hacker one day taught us that it worked. We have a body of knowledge today that is certainly impressive, and it will be one hell of a task to knit all that knowledge together to create a proper rating system, but there is no such thing as automating the risk evaluation - it has to be analyzed by a human. Humans don't know everything, and are rather bad at taking into account hundreds of parameters at once.

It is obvious the CVSS is not very valuable, but crafting a good replacement is going to be a massive headache. And yet, it should definitely be done. Good luck with that, then.

We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?

Because it gives an easy and quick method of identifying their severity. However, as Jake says above, if you only rely on the CVSS then you're doing it wrong.

Not like kids...

Kids do it in stars - min 1, may 5.

They cannot count as far as 10.

FMEA, anyone?

Simple answer, because a score from 1-10 is easy for most people to understand. It may not be the best method but telling people there is a severity 9 bug they need to plug (i.e. upgrade software) is going to be a lot more effective than (e.g.) a 14R8 level bug.

Tenable already have a new system called VPR - vulnerability probability rating ... which taken on it's own works pretty well.

A threat centric approach

This is a bit of an out of date perspective, talking about a problem that already has solutions. Multiple approaches for improving prioritisation of vulnerabilities already exist that augment CVSS's lack of real world information on the probability a vulnerability is and will be exploited. Tenable has "Predictive Prioritization" in their enterprise products and Kenna's "Prediction Model" is available to sit on top of other VM vendors data, both of which use ML to understand the likelihood of exploitation, irrelevant of the CVSS base and temporal metrics, to better focus on the small handful of vulnerabilities that will be leveraged versus the massive amount disclosed but will never be favoured by attackers.

It's not the scale that's the problem, it's the lack of real world context.

We're almost into the third decade of the 21st century

Suddenly made me feel very old when I read that :(

helocopter

It will be made as complicated as possible, completely unusable, and have governments highest approval and be made mandatory. Half the InfoSec peeps will say F this, and take jobs that don't stress them out so much.

Great plan. Just like making a helicopter, a million parts flying in formation, when one goes bad - they all do.

Can't say that I agree at all

The point of the scoring system is to draw attention to the bloody obvious. In general it works for reasons already stated in the comments. Because it is simple enough to understand.If your organization actually takes risk management seriously, it has in-house staff to do the the scoring in the context of how it affects the organization. Risk and threat modeling is not something I would expect someone outside my organization to understand as far as it applies to my organization because they lack the information to do so. I would not expect any agency or a third party organization to do a valid scoring for my organization as a general rule (auditing etc not included). They can't and even if they could it would not scale to try and keep such a vast library up to date. The simplicity scales.

Same old, same old...

Since the days of Windows 95, upon booting the system checks/maps network drives BEFORE initialising the WiFi. The result is an error report/notification upon a reboot.

It isn't as if Microsoft haven't noticed this. I reported it as a tester on windows 95, NT4 and Windows 10. When the simple stuff is never done because the 'bells and whistles' to attract non-IT-savvy people/users has priority, we will for ever be plagued by bugs that never seem to be correctly prioritised.

Just saying...

Borderline meaningless

NO one who has spent any time thinking about this issue uses CVE scores as anything other than a rank order in evaluating bugs that came in overnight. I've never gone to management and said, "Boss, we have to get on this one--it's a CVE 7!" or 8 or 9 or 10. If a point upgrade of the associated libraries is not enough, you evaluate the vuln in the context of your business, and, depending on how much process is needed, present the case to manglement about the actual threats the business faces relative to the known vulnerabilities in the system.

And while I'm in a bad mood, why are people talking about vuln chaining? Maybe it's a civilian mindset that I miss, but you infiltrate the same way you build--one step at a time. This has always been the case. Again, I've never said, "Oh, it's just a privilege escalation bug", or "Oh, it's just a unauthorized access issue." Every vuln in your system is a stepping stone to the next (potentially currently unknown) bigger vuln.

Not helped by bad scores

We’re setting a spate of CVEs with bloody stupid CVSS scores recently, not helped by bloody stupid bugs that aren’t security issues.

For example, flaws that require physical access to exploit are being marked as exploitable over the network which pushes the score up. Bugs that fail to check a return value during boot are also being marked as network exploitable even though there is no network at the time and no practicable way to exploit the thing anyway.

NVD are unwilling to address this problem so the scores are rapidly becoming useless so we see a lot of people asking for better ways of scoring. I’d settle for NVD accepting their limitations and asking experts for help to score vulns.

It’s exasperating.

"still ranking bugs from nought to ten"

The CVSS, for all its shortcomings (and there are some) has a resolution of one percent although the support documentation advises that its accuracy may be lower than that. Fair enough, it's handling a lot of rather imponderable parameters. However, no organisation I have ever worked with that used the CVSS has ever calculated the environmental score, which is intended to address the local susceptibility of the target to the technological vulnerability being attacked. Its lack of use is probably why it's remained rather a crude metric as the rest of the CVSS has evolved quite well.

In reality, practically no business for which there's a reliable post-breach incident report has shown up as robust or resilient. Most have been wide open to the supposedly "sophisticated attacks" which have usually turned out to be relatively trivial to execute.

The most important consideration in security is resilience against the unexpected, but almost all proactive effort so far has been directed at modelling the adversary rather than the target. A more sophisticated (and much less purely technocentric) CVSS environmental metric would be an excellent move towards resilience, but only if people were prepared to use it.

CVSS has flaws for sure but it’s easy to say it sucks but not offer a better solution. For me, I find the subscores/vectors very useful as I combine them with Threat, business and technical impact and internal controls in a heavily modified version of owasp risk rating that is more contextual and useful than Tenable or Kenna Prioritization alone. For instance, I’m classifying assets and business drivers or other risk indicators like safety and grid reliability to drive this logic. You can’t do that with a generic prioritization score. Check out Fortress Information Security and you will be pleasantly surprised. https://fortressinfosec.com or you can always visit owasp and roll your own.