Black Hat 2022: The CVSS Fallacy - can you trust the world's most popular vulnerability metric?
The NVD defines one of the usages of CVSS as “a factor in prioritization of vulnerability
remediation” and it is the current de-facto vulnerability metric, often seen as infallible guidance and a crucial element in
many compliance processes. In our session we will go over real-world CVE examples, demonstrating cases and entire
categories where CVSSv3.1 falls short of providing an accurate assessment, both due to its design and its various
mishandlings. The session will also touch upon specific indicators in the CVE description that can raise the confidence in
a CVSS score, and vice versa.
Speaker: Brian Moussalli, Security Research Tech Lead, JFrog, specializing in vulnerability analysis, threat intelligence
research and automated threat detection. Has over 13 years of experience in cyber security, experienced in security
research, reverse engineering and malware analysis.