Comment by Joker_vD
2 days ago
> it takes time that could be allocated elsewhere
And not scoring means that the security triage teams everywhere have to spend their time to assess the severity on their own, and in doing so, they mostly duplicate each other's work while deduplication is nigh impossible. Is this a worthwhile trade?
Consider e.g. vehicle recalls: the manufacturer could very well (baring legal requirements and general public's expectation) just leave it to the customers and the repairmen out there to discover and deal with the defects on their own.
> kernel devs are not implementors, they may have never used docker or built a cut down kernel for an iot device, they just build a general purpose kernel
Well that's a pretty condescending look upon the kernel maintainers. Making a successful general-purpose kernel (nevermind making a general-purpose kernel that also has a lot of quite specific affordances for custom scenarios) still requires understanding of how it will be used.
> And not scoring means that the security triage teams everywhere have to spend their time to assess the severity on their own,
We have to do that anyway because a worst case assessment is almost never worst case or even close.
CVSS is just the wrong tool for the job anyway. It's like assessing individual car parts on dimensions like "steering" and "acceleration" when most parts have no direct relationship to the completed product's high level qualities. And then you construct "worst case" stories that go "well, in the event that you are not steering while accelerating sharply, a fault in this seat cover could make that whole thing worse and cause a fatal crash: CVSS 9.9!"