Techly NewsGet the app

Get the latest tech news

Curl Project and Go Security Teams Reject CVSS as Broken


cURL and Go security teams are publicly rejecting CVSS as flawed for assessing vulnerabilities and are calling for more accurate, context-aware approa...

While CVSS is designed to assign a severity score to vulnerabilities, its one-size-fits-all approach often produces misleading results, particularly for projects like cURL, which operates across diverse environments and billions of installations. “But when you’re unpaid, and 9/10 of the emails are about trivial vulns in method calls from dependencies that you’ve proven none of your code paths touch, and where patching would require a breaking change that means you are now fixing compatibility in ANOTHER open source project… well, it can get frustrating,” he said. Security teams that depend on accurate and timely data are often left grappling with outdated or incorrect scores, compounding the challenges of managing vulnerabilities effectively.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of CVSS

CVSS

Photo of security teams

security teams

Photo of curl project

curl project

Related news:

News photo

How open-source LLMs enable security teams to stay ahead of evolving threats

News photo

Tines taps $50M to expand its workflow automation beyond security teams

News photo

Psychological safety is key to managing security teams

« The Less People Know About AI, the More They Like It
Sweden seizes ship for ‘aggravated sabotage’ of undersea fibre-optic cable — Latvian navy coordinating with NATO over incident after military alliance boosted its presence in Baltic Sea »