this post was submitted on 25 Aug 2023
28 points (100.0% liked)

cybersecurity

3030 readers
2 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS
 

It was obvious already before that NVD really does not try very hard to actually understand or figure out the problem they grade. In this case it is quite impossible for me to understand how they could come up with this severity level. It’s like they saw “integer overflow” and figure that wow, yeah that is the most horrible flaw we can imagine, but clearly nobody at NVD engaged their brains nor looked at the “vulnerable” code or the patch that fixed the bug. Anyone that looks can see that this is not a security problem.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 1 year ago

This is why I'm glad to see some tools are starting to adopt the Exploit Prediction Scoring System (EPSS). It seems to do a little better job of helping defenders see how "bad" a vulnerability really is and prioritize more accurately.