Stop Blaming CVSS: The Real Problem in Vulnerability Management is Us
In cybersecurity, it’s tempting to look for easy villains. The Common Vulnerability Scoring System (CVSS) has become one of the industry’s favorite punching bags. As exploitation rates rise, ransomware wreaks havoc and vulnerability volumes explode, the finger often points to CVSS. “The system is broken,” critics say. “We need something new.”
But the truth is more nuanced — and more uncomfortable. CVSS isn’t the root of the problem. We are.
We’re misusing a tool because we’ve failed to build the processes, integrations and data pipelines needed to use it correctly. CVSS wasn’t designed to be a risk prioritization engine. It’s a severity scoring system — a standardized way to describe the potential impact of a vulnerability. That’s all. Expecting it to deliver tailored, context-aware risk decisions is like blaming a thermometer because your house is too cold.
The Context Problem
What’s actually broken in most organizations is the operational model. Many security teams still treat CVSS base scores as gospel, acting on every 9.8 with the same urgency, regardless of whether the affected system is internet-facing or internal, whether there’s public exploit code, or whether the asset even matters to the business.
Meanwhile, these same teams often ignore vulnerabilities with lower CVSS scores that are actively being exploited in the wild, simply because they’re not “critical” on paper. It’s not CVSS that’s creating risk gaps — it’s a lack of context. And that context can’t be generated by CVSS alone.
A Data Standard, Not a Risk Score
Let’s be clear: CVSS is not without flaws. It can be manipulated or poorly applied in vulnerability advisories. And it doesn’t account for exploitability or asset value out of the box. But it was never supposed to. That’s why there’s a vector string and a scoring framework — to allow consumers of CVSS to adjust and interpret scores based on their own context.
The real problem is that many organizations never get to that point. The vulnerability data they’re working with is messy, inconsistent and siloed. Scanners output findings in different formats. Asset data is incomplete or outdated. The exploit intelligence is missing or isn’t correlated at all. So teams fall back on what they do have: the CVSS base score.
And so CVSS becomes a scapegoat for what’s actually a data and process failure.
You Don’t Need a New Scoring System — You Need a Strategy
Calls to replace CVSS with something entirely new are misguided. What we need is better integration, not reinvention. We need security teams to correlate CVSS scores with exploitability data from sources like CISA’s KEV catalog or EPSS. We need asset owners to supply accurate context about what systems are critical to the business. We need vulnerability intelligence that enriches findings automatically and removes guesswork.
Ironically, many of the teams complaining loudest about CVSS also lack even basic asset criticality tagging. They don’t integrate exploit intelligence into their pipelines. They don’t correlate vulnerability data across tools. In that kind of environment, no scoring system will deliver meaningful risk prioritization.
Fixing the Real Problem
If you want to make vulnerability management better, don’t start by changing the score. Start by fixing the foundation:
- Standardize your data. Normalize findings across tools. Consolidate asset inventories. Ensure you can match a vulnerability to a business context quickly and reliably.
- Integrate threat intelligence. EPSS, KEV and commercial feeds all provide vital exploitability context. Use them to augment CVSS, not replace it.
- Automate the enrichment layer. Build processes that correlate severity, exploitability and asset value automatically so analysts don’t have to guess.
- Use the tools we already have — correctly. CVSS, when used with context, is still the best universal language we have for vulnerability severity. Let it do its job.
Final Thought
Let’s stop acting like CVSS is the enemy. It’s not. It’s a foundational standard that every scanner, every vendor and every vulnerability database already supports. Throwing it away would be counterproductive. Instead, let’s focus on the hard stuff: Integrating data, automating enrichment and building prioritization strategies that reflect the real world.
The sooner we stop blaming the tool and start fixing the system around it, the better off we’ll all be.
