@bagder @joshbressers something to keep in mind is that the NVD/CISA take a worst-case scenario approach of it could be used this way or it could be vulnerable this way because across the entire federal government, I guarantee you somebody is using it in some legacy system in a truly horrific way that it was not meant to be used. The other side is the economics of it. If they under estimate the severity, theyβll get in trouble for saying the sky wasnβt falling if an attacker does end up using it. If they say itβs worse than it is, well thatβs a you problem, not a me problem. So the cost of the false positive prediction is externalized and the cost of a false negative prediction is internalized. And since nobody likes getting chewed out, well here we are with bad severity estimates of vulnerabilities.
https://infosec.exchange/@kurtseifried/113657936926679060
2024-12-15 bagder β 1π€ 1π¬
@kurtseifried @joshbressers yeah, there really is no easy solution or fix here...
ββββ
ββββ