Comment by MattPalmer1086

> And not scoring means that the security triage teams everywhere have to spend their time to assess the severity on their own,

We have to do that anyway because a worst case assessment is almost never worst case or even close.

CVSS is just the wrong tool for the job anyway. It's like assessing individual car parts on dimensions like "steering" and "acceleration" when most parts have no direct relationship to the completed product's high level qualities. And then you construct "worst case" stories that go "well, in the event that you are not steering while accelerating sharply, a fault in this seat cover could make that whole thing worse and cause a fatal crash: CVSS 9.9!"