cURL and Go Security Teams Reject Flawed CVSS Scoring System
The cURL and Go security teams have publicly denounced the Common Vulnerability Scoring System (CVSS) as flawed for assessing vulnerabilities, advocating for more accurate, context-aware approaches. CVSS's one-size-fits-all approach often leads to misleading scores, especially for projects like cURL with billions of installations. Daniel Stenberg, cURL's creator, highlighted CVSS's failure to account for specific contexts, resulting in inflated or inaccurate scores. The Go security team echoed these sentiments, opting for context-driven severity assessments instead. This highlights growing dissatisfaction with CVSS and pushes for better alternatives. However, this context-driven approach faces challenges, as maintainers struggle to accurately gauge all user scenarios. A culture clash between security researchers and open-source maintainers further complicates the issue, with researchers seeking recognition and maintainers focusing on practical impact. The NVD's backlog problem exacerbates the situation.