image.png

Bistahieversor or MS08-067? 

If you had to list out the problems with CVSS it would be like analyzing the anatomical issues of a children's drawing. No part of it fits together properly. Here's a problem: Scoring of threats is not one dimensional, and numbers can't carry the whole story. We need a vulnerability scoring system that's extensible, and programable. 

But I have an alternative: Take each vulnerability attribute and assign it to a dinosaur part! Is it a client-side? Then it's got legs! Does it need user interaction? Then short stumpy legs. Is it a true remote against a service? Then it's got wings. Is it a root bug? Then it has a big mouth? User-level access? Duckbill. 

That way, the attributes of the vulnerability reflect themselves as a literal model - a denizen of your Cretatous nightmares. But it rings true - getting attacked by five hundred pre-auth XSS bugs in your web front-end is exactly like getting attacked by a horde of ducks. And of course, vulnerabilities can combine - a LPE + a remote user-level XSS + sandbox escape has legs and teeth.

Modeling is better than scoring in every way. Maybe your network is a Animantarx, a living citadel, but more likely you're a Diplodocus, a big bag of walking meat getting nibbled to death by ducks.

-dave