I recently gave a keynote at HOU.SEC.CON. 2025 that, apparently, touched a nerve.
It wasn’t meant to be as provocative as I think it ended up being. The subject of the talk was CVSS. We all use it, or derivatives, and many quietly complain about it. My goal was simple: to explain where the model fails mathematically, why its misuse has become systemic, and how the industry’s blind spots have calcified into the abysmal term "best practice." I proposed that perhaps it matters that we start moving away from it towards models that have a higher chance of working in the real world. I gave tons of graphs and examples explaining my points. That’s it. Yet somehow, this has been received as a provocation.
Several members of the CVSS SIG have reached out, some privately, some not, to tell me my analysis is not novel, or that I’m criticizing “misuse” rather than the system itself. I find this strange, because much of my argument rests on the premise that the system itself has inherent flaws, and those flaws persist regardless of how anyone uses it. And yes, of course people are also misusing it, without a doubt.
If pointing that out isn’t novel, then perhaps the scandal isn’t that I said it, but that so few people seem to care that it’s true. They are quicker to get angry about me discussing it than about the the problems in it and the fact that it is being misused.
Odd, right?
Let’s be clear: CVSS base scores, in theory, are not intended to be a prioritization metric. The SIG has said this themselves, repeatedly. And yet, most of the world uses it exactly that way. You see it being used as a sorting hat for patch queues and vulnerability dashboards... high to low. That’s not my opinion; it’s what practitioners keep telling me. Go talk to some vulnerability management (VM) teams, and you too will see what I see. They have it baked into their policies, and customer contracts. Am I the one at fault for this? Obviously not.
So when I raise the issue that the field has collectively built an operational dependency on something its creators explicitly disavow, the reaction shouldn’t be indignation. It should be curiosity. Maybe even gratitude. Because the first step in fixing it is to admit the problem and the prioritization mess that CVSS, albeit probably inadvertently, has caused.
Instead, the instinct seems to be defensiveness. As if noticing the cracks in the foundation is more offensive than the cracks themselves.
This reaction tells us something profound about the culture of our field: we’ve become so invested in defending our own intellectual turf that critique is treated as trespass. It’s a kind of epistemic immune response, akin to admitting that they have known about it for years and are somehow tacitly complicit. But that’s exactly the problem. We shouldn’t be fine with it. None of us should be okay with it.
Because CVSS isn’t just a math problem. It’s a social contract between engineers, infosec, and executives. When nearly forty percent of its output space is mathematically unreachable in version four, when identical vendor names are represented in a dozen inconsistent ways, when different versions and different people derive different scores... that is not misuse, and it cannot be laid at the feet of the user. That’s design debt that we're going to have to keep paying as long as we let it continue.
What should worry the CVSS SIG is not that someone is pointing this out, but that so many seem uncomfortable having the conversation at all. The proper scientific response to critique is not to sneer "we already knew that." It’s to ask, "Then why haven’t we fixed it?" Or better yet, "Does anyone have any clever ideas on how to fix this?" I suspect a lack of humility and close-mindedness are going to be important factors between who will dig their heels in on this matter and who will survive what is coming. Because this will be a bigger problem as the number of vulns grow. Why? Because we can no longer fix all the issues. And if we can't fix them, then we have to prioritize. And what is the one prioritization system baked into CVE? Yep, CVSS.
To those who found the idea that CVSS has issues an uncomfortable concept, I’d encourage you to watch the video anyway. Not because I expect you to agree, but because this discomfort is instructive. And who knows? You may come up with some ideas that can fix this situation. Consider my talk to be the explanation of what happens when an idea that’s been running on institutional autopilot meets first principles.
If CVSS is to remain relevant, it must be willing to evolve, mathematically and operationally. And it will have to relinquish it's place to better concepts, only to be used as a backup prioritization system for lack of a better one.
It is my opinion that we must face this one dead on if we want to make progress.
So I will, even if it comes at personal peril.
