Reviewing multiple vulnerability reports in open source libraries today (some valid, some not) and it keeps coming up over and over again that CVSS is a hopelessly broken metric for infrastructure libraries. In most cases, it’s unrealistic to assess the impact of a flaw in an individual function on every application that might use it, so you have to assume the worst case scenario. But the worst case scenario is “the application made other mistakes too and the deployment network is a disaster”
