cybersecurity

3157 readers

2 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 1 year ago

MODERATORS

[email protected]

CVE-2020-19909 Is Everything That Is Wrong With Cves (daniel.haxx.se)

submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]

2 comments fedilink hide all child comments

It was obvious already before that NVD really does not try very hard to actually understand or figure out the problem they grade. In this case it is quite impossible for me to understand how they could come up with this severity level. It’s like they saw “integer overflow” and figure that wow, yeah that is the most horrible flaw we can imagine, but clearly nobody at NVD engaged their brains nor looked at the “vulnerable” code or the patch that fixed the bug. Anyone that looks can see that this is not a security problem.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 1 points 1 year ago

This is why I'm glad to see some tools are starting to adopt the Exploit Prediction Scoring System (EPSS). It seems to do a little better job of helping defenders see how "bad" a vulnerability really is and prioritize more accurately.