top | item 43715080

(no title)

aja12 | 10 months ago

As a pentester, who does not love CVSS[0], I found the article explaining how to replace CVSS with CVSS very amusing

[0] CVSS is often poorly understood and used by internal teams so for our internal engagements, we prefer words like "minor", "medium", "major", "critical" to describe criticity and impact and "easy", "medium", "hard" to describe exploitation difficulty (which loosely translates to likelihood), and the reasoning behind all this is very similar to what CVSS does

discuss

shagie|10 months ago

Have you ever stumbled across the PEF/REV method for classifying bugs?

https://www.fincher.org/tips/General/SoftwareDevelopment/Bug...

The essence of it is that "PEF" is from the user's point of view - pain, effort (work around), frequency. "REV" is from the developer's point of view- risk, effort (fix), verifiability.

Something that has a low PEF score and high REV score would not be practical to fix while something that is high PEF and low REV is something that should be prioritized high.