Why the CVSS rating isn’t the entire story
The CVSS score system focuses on the traits of a single asset — how simple a flaw is to use, whether or not a patch exists and the potential confidentiality or availability affect. That’s essential, and it’s a stable start line. But it surely doesn’t account for one thing essential: context.
A vulnerability in a tightly remoted sandbox could rating a 9.8 however by no means have an effect on the rest. In the meantime, a 5.2 in a single sign-on service, the system that each different system trusts, can change into a blast radius multiplier. The rating alone tells us nothing about how that flaw may ripple throughout the enterprise.
In the actual world, vulnerabilities don’t keep put. They transfer. They inherit privileges. They hitch rides by means of pipelines. They land in locations nobody anticipated.
