CVSS Is Broken: Scoring Vulnerability Risk in the Real World
Failed to add items
Add to basket failed.
Add to wishlist failed.
Remove from wishlist failed.
Adding to library failed
Follow podcast failed
Unfollow podcast failed
-
Narrated by:
-
By:
Vulnerability management runs on a single number — and that number is lying to you. CVSS scores are embedded in scanner reports, regulatory frameworks, and executive dashboards worldwide, yet most defenders who work with real production environments eventually reach the same conclusion: the system, used in isolation, is a poor guide for prioritizing actual risk. This episode draws on this seven-minute breakdown of CVSS's real-world failures to examine five hard-earned lessons about what goes wrong — and how to fix it.
Here's what the episode covers:
- Context blindness: CVSS is deliberately environment-agnostic, which means an internet-facing payment gateway and an air-gapped lab server can carry identical scores despite wildly different blast radii — and the fix is tagging assets with business context before acting on any score.
- Exploitability gaps: Base scores assume worst-case conditions even when no working exploit exists, while actively weaponized bugs sometimes sit below the critical threshold; pairing CVSS with CISA's Known Exploited Vulnerabilities list and EPSS closes that gap.
- Score manipulation: The eight metrics that feed a CVSS calculation can be nudged — intentionally or not — by whoever files the advisory, producing legitimately different numbers for the same flaw; independent validation by internal engineering teams is the safeguard.
- Temporal decay: Vendors freeze the base score at publication and rarely update it, so dashboards stay static even after proof-of-concept code drops publicly; automated score-aging policies tied to exploit maturity keep the queue honest.
- Patch paralysis: A wall of 9.8s doesn't drive action — it drives overwhelm; replacing the binary "critical vs. everything else" model with a triage ladder built on reachability and live exploit status turns an unmanageable backlog into prioritized sprints.
- What good looks like: A concrete case study shows how a global manufacturer handled two simultaneous 9.8-scored CVEs differently based on exposure and compensating controls — patching one the same day, scheduling the other for the following quarter — with zero incidents.
The episode closes with a clear framework for enriching CVSS rather than discarding it: layer in asset criticality, live threat intelligence, compensating controls, and exposure surface data. When briefing leadership, swap raw CVE counts for plain-language statements about business risk — that's what actually moves patching decisions forward. For more on preparing for systemic shifts in security fundamentals, listen to the episode on Cryptographic Agility: Preparing for the Algorithm Lifecycle Crisis.
SEC.CO