Vulnerability thoughts:

• Most attacks these days rely on chains of vulnerabilities.
• Things that get CVSS scores are almost exclusively CVEs, which are individual vulnerabilities.

It's the vulnerability chains that matter, but the numbers that people are looking at are the individual vulnerability "links". And as a result, we ironically benefit by people not following the rules and assigning a CVSS for the whole chain to an individual link. Case in point:

https://infosec.exchange/@wdormann/114275453831928356

@wdormann The inability to contextually tie chains or groupings of vulnerabilities and the inability to differentiate an application from a vulnerable library function call are the things that bother me the most.

People have a really hard time adding context to vulnerabilities (as we see with temporal scores), and if the data isn't in the one spot it might as well not exist.

@wdormann "defenders think in lists, attackers think in graphs" vibes