Exploitability is relative,as in compared to other bugs of a similar class. Subjwctivity is not always bad.
CVSS score is better than nothing.like i said before, high/medium/low is not granular enough. How is it different than having a 3 point numerical scale? Do you disagree with the granularity?
Just MS patch tuesday could be dozens of patches. If you have the process you can use cvss as a starting point for generating final risk score. If you don't CVSS provides you with some guidance as to what you should prioritize. It's meant to be an aid not a rule. In the end you should patch all vulns and prioritize as it makes sense in your environment
CVSS scores are worse than nothing. You can make self-XSS come out high, and RCE come out low, and people routinely do both. False certainty is worse than uncertainty.
While I agree with your last sentence, I believe you are misunderstanding the purpose of the score.
It is meant to facilitate your risk assesment. Taking your example, A lot of people think RCE is automatically bad and XSS not so much(but yeah,self-XSS is mostly low sev). If the vuln is regarding a bug where theoretically RCE might be possible but there are no known exploits then it should have a lower exploitability score than unauthenticated XSS on a login page right? Similarly, naive people might think DoS isn't so bad but service disruption can be a lot worse than RCE on the asset,data and threat model. CVSS is meant to guide those people so they prioritize based on a standard score rather than intuition.
Threat model is another thing,if you expect attackers that can rapidly develop exploits after discovery then you would increase/adjust the exploitability score yourself (and the score does change over time as exploits are made public).
I guess my perspective is that hygeine is hygeine,either you have it or not.all vulns should be remediated regardless if any scores. I have been responsible to give guidance to IT ops teams on prioritizing patches and this helps,but you have to understand the purpose and meaning behind the scores. It can certainly be misunderstood and I am sure there are many improvement opportunities like what you mentioned but the alternative is to expect resource limited staff to read and understand every vuln (including how specific complex attacks can be pulled off). And even if that was possible,how does someone manage said staff validate things are being prioritized and properly? How do you get an external auditor to properly assess your practices if you interpret every vuln autonomously without any well established and understood priority structure. I mean you can change the score according to your opinion all you want but at least you can say "Because of _____ I am increasing the exploitability score" as opposed to "I dont think it's so bad so I'll score it n". Maybe I just have a different perspective.
Haven't heard of OSVDB in a long time but it exists too. Most orgs need something to feel this need.
What I'm reading here is the case that, if there were such a score that could reliably capture risk in at least some of its complexity, that would be good. I agree, it would be good. My point is that CVSS doesn't do that. My evidence isn't that there's a self-XSS somewhere scored 8+, but that this happens routinely, because you can (and people absolutely do) make CVSS scores say whatever they want them to say.
Perhaps the problem is lack of integrity or the fact that these scores are misused to evaluate how good/bad a product is leads to inevitable attempts to manipulate the scores with bad-faith?
Is the problem with the score system itself or the political structure of who gets to set the scores and how? If the former then you have a very good point.
It's a technical problem more than a moral problem. As you observe, it's helpful to have some kind of risk metric that captures the complexity of actual exposures in real systems. But with CVSS, there's so much context you need about why a vulnerability is scored as it is, you might as well just ditch the score and share the context; without the details about how the score was arrived at, your 8+ might just as well be my 1.0.
CVSS score is better than nothing.like i said before, high/medium/low is not granular enough. How is it different than having a 3 point numerical scale? Do you disagree with the granularity?
Just MS patch tuesday could be dozens of patches. If you have the process you can use cvss as a starting point for generating final risk score. If you don't CVSS provides you with some guidance as to what you should prioritize. It's meant to be an aid not a rule. In the end you should patch all vulns and prioritize as it makes sense in your environment