Open Source Security

By Josh Bressers

We broke CVSSv3, now how do we fix it?

🔊 Play episode (31 min)

Direct episode link

💬 Share episode

Published June 14, 2020 7:00pm

Josh and Kurt talk about CVSSv3 and how it's broken. We started with a blog post to explain why the NVD CVSS scores are so wrong, and we ended up researching CVSSv3 and found out it's far more broken than any of us expected in ways we didn't expect. NVD isn't broken, CVSSv3 is. How did we get here? Are there any options that work today? Where should we go next? Show Notes Josh's blog post NVD Red Hat security data Josh's CVE data project Microsoft security ratings scale

Return to podcast