What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy?

bagder@mastodon.social

What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy?

joshbressers@infosec.exchange

@bagder Probably none

Attackers can sometimes chain lower severity bugs together to do something interesting, but the reality is everyone is drowning in vulnerabiliites right now

Everyone has already written off Low and Medium as "don't care"

claus@hachyderm.io

@bagder it'd create a corollary for "if everything is urgent, then nothing is urgent": if low and medium severity bugs are ignored, then more bugs will be classified as high/critical.

ellie@darmstadt.social

@bagder Eliminating low and medium CVEs wouldn't actually make software safer; it would just blindfold defenders. It turns out that a lot of "minor" leaks can still sink the ship if they are left unmonitored.

xan@xantronix.social

@bagder uhh, you sleep? that kinda seems like an upside though so it's impossible to say

illuzive@indieweb.social

@bagder I guess the scale would change. What's HIGH now, would end up on the LOW end of the remaining interval.. possibly resulting in people ignoring the issues.

I have faith in people messing this up, if given the opportunity.

paulos@infosec.exchange

@Ellie Indeed, and it also depends on the specific environment. In one of recent talks I've been to, it was mentioned that the medium severity CVEs, after analysis, had sometimes bigger impact than the high/critical ones. So I guess it really depends. But it won't be pretty regardless. @bagder

bsdphk@fosstodon.org

@bagder

A lot of "security researchers" would be sad that they couldn't pad their resumes with more CVE numbers ?

jacques@mastodon.chester.id.au

@bagder I mean CVSS is not a great scheme for ranking anyhow. Even v4 has the core problems of v3 (IMO)

icing@chaos.social

@bagder macOS 15 still has curl 8.7.1. Those CVEs do not seem to have a lot of impact, if you ask me.

bms48@mastodon.social

@bsdphk The magic acronyms SAST and DAST post-date the writings of Dr. Jorgensen on Software Testing. And SonarQube might be a bit of a nothingburger if everyone is just using clang-tidy and cppcheck anyway. @bagder How can you maintain cURL as C89 and retain sanity? :^)

bagder@mastodon.social

@bms48 @bsdphk C89 is like my backyard and comfort zone. That's where I want to be.

bagder@mastodon.social

@jacques we don't use CVSS, never did...

frummidge@meow.social

@bagder normalization of deviance, mostly, but it's probably nothing that the industry hasn't encouraged before

jacques@mastodon.chester.id.au

@bagder well now I just feel silly for assuming!

bagder@mastodon.social

@jacques some background: https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/

richardoc@infosec.exchange

@bagder I'd prefer to know what issues exist, even if it's a bit noisier (on the blue team side)
Trying not to normalise the deviance of not fixing issues at my workplace

kpcyrd@chaos.social

@bagder We would need to refer to bugs as "the buffer overflow that's in src/foo/bar.c line 1067 in version 4.5.6, and line 1058 in version 4.5.7" again.

Arch Linux wouldn't care, but it would make the life of Debian maintainers more difficult.

bagder@mastodon.social

@kpcyrd countless projects basically do this already, I don't think the world would fall over. It would be fewer CVEs to care about.

rrdot@infosec.exchange

@kpcyrd @bagder this. If it doesn't matter that we have a common identifier to discuss security relevant bugs, then drop it. Otherwise keep em coming.