Here's my thoughts on the Common Vulnerability Scoring System (CVSS).
CVSS captures the principle characteristics of the software, hardware and firmware vulnerabilities. Proving a universal language to help org understand the severity of the threat, and determine their response.
Basically, "what's the risk, and what will I patch first?"
CVSS does not adequately convey the risk associated with a vulnerability, because it's software explicit and doesn't take into effect the type of software and the impact.
A common example is a vulnerability which exists within a web application; the vulnerability is evaluated based on the impact to the web server, impacts to other systems that may navigate to the web application containing the vulnerability are not taken into account.
The score isn't adequately conveying the risk associated with a known vulnerability; it's just a snapshot in time of what the vulnerability looks like.
For instance, squirrel mail may have a CVSS score of 10 but the impact wouldn't be as severe if it if the vulnerability affected Microsoft Exchange due to the underlying architecture with Windows.
Also, according to Tenable Research, 56% of all vulnerabilities are scored as High (CVSS score of 7.0–8.9) or Critical (CVSS score of 9.0–10.0), regardless of whether they are likely to ever be exploited.In my opinion its a good system but it needs to be considered within this context.i