Security News > 2022 > January > Need to prioritize security bug patches? Don't forget to scan Twitter as well as use CVSS scores

Organizations looking to minimize exposure to exploitable software should scan Twitter for mentions of security bugs as well as use the Common Vulnerability Scoring System or CVSS, Kenna Security argues.

The initial Log4j vulnerability received a base CVSS score of 10.0.

While CVSS scores can inform vulnerability remediation strategies, Kenna Security, acquired last year by Cisco, argues that there are better prioritization signals like focusing on flaws with exploit code and counting the number of times a vulnerability is mentioned on Twitter.

In an email, Jay Jacobs, partner and co-founder at the Cyentia Institute, told The Register that Twitter is a better yardstick than CVSS even when a vulnerability's CVSS score is a 10 - which makes it obvious the flaw should be dealt with.

Chris Gibson, executive director of the Forum of Incident Response and Security Teams, told The Register in an email that CVSS and EPSS measure different things - severity and risk, respectively.

"Many well-meaning consumers of CVSS simply stack rank vulnerabilities found in their products by CVSS Base Score and form an action/mitigation plan based on that number alone. While by far the easiest method, it's also the least apt and accurate. Additional inputs, such as Threat and Environment, must be taken into account to come up with an accurate assessment."

News URL

https://go.theregister.com/feed/www.theregister.com/2022/01/19/twitter_cvss_vulnerabilites/