The NVD defines one of the usages of CVSS as “a factor in prioritization of vulnerability remediation” and it is the current de-facto vulnerability metric, often seen as infallible guidance and a crucial element in many compliance processes. In our session we will go over real-world CVE examples, demonstrating cases and entire categories where CVSSv3.1 falls short of providing an accurate assessment, both due to its design and its various mishandlings. The session will also touch upon specific indicators in the CVE description that can raise the confidence in a CVSS score, and vice versa.
Hear from expert Brian Moussalli, Security Research Tech Lead at JFrog, who has over 13 years of experience in cyber security, experienced in security research, reverse engineering and malware analysis. He specializes in vulnerability analysis, threat intelligence research and automated threat detection.