> Every CVE filed to MITRE is supposed to have a CVSS score set.

That's odd. I requested CVEs through them (cveform.mitre.org/), there is no field to provide a CVSS score.
Not sure if that makes it better or worse. Someone else without a clue of the system rates it, or the researcher initially rates it a higher to make it "more important"? Both terrible choices.

To me it seems like CVSS is trying to do a dozen things at the same time, and is being potentially provided by multiple groups with conflicting ideas on what it should be based on what thing they're trying to make it do, and their own personal goals (explicit or implicit). There's no way that could ever work.

Heck, even simple risk assessment is two-dimensional - how likely is the risk, and how big is the impact when it happens. This is trying to flatten that, plus many more properties, into a single axis, and of course it's useless.

It would be much better if the CVSS was just dropped wholesale, and replaced with scores that have a relevant target. At the very least we can have the two axes that normal risk assessment puts on it, which would solve most of the CVSS sillyness already. Add a third axis / score for user involvement, too, since a bug that can be triggered without users acting is much worse than one a user has to choose to run.

For example, your 9.8 "integer overflow could be abused" from a year ago would be marked as "impact minimal", "user invoked", "likelyhood certain". Maybe even give a somewhat formatted field to indicate which platforms are affected, so things like vulnerability scanners can check if their platform is even listed in the first place. Critical Windows vulnerability that does not exist on Macs should not give rise to a forced update.

the more I think and interact about the CVE ecosystem and the more I think we should have our own alternative and ecosystem that explicitly does not live in their taxonomy

Figure out the open source cooperation way of managing sec vulns and just make it so much better that the corporate world has to negotiate with us and we cease to be a cog

One approach you could take, which doesn't involve fictional CVSS scores but does avoid the risk of CISA (or others) causing you this kind of problem, would be to have a policy of using the mid-point of the severity range for each of your 4 severity bandings as the score.

That gives people a good idea of what the severity is, and avoids the problem you had here.

The sad thing is: it could be a good system if used properly. It captures a lot of useful properties in the vector, especially when you go beyond the base score and include temporal and environmental score.

In my fever dreams, I'm imagining a system that captures my overall system architecture including security requirements, security boundaries, etc., so when a CVE is coming in, it automatically calculates an environmental score, based e.g. on "that's a local vuln, hard ro exploit, on an appliance that doesn't really have any internal security boundaries anyways, on a network physically protected and behind seven firewalls, get lost" or "unauthenticated remote code execution in all configurations on a service handling valuable data, actually exposed to the Internet, actively exploited, all hands on deck NOW".

So from a vulnerability information consumer point of view, data points like exploitability, authenticated vs. unauthenticated, local or remote, actually confirmed by a person with an understanding of the code,make a huge difference, and it would be good to have them in machine readable format. Of course, a 9.8 slapped on by some analyst who doesn't even bother to look at the code doesn't help anyone.

Thats why we (pentest company) do our own risk calculation method which actually includes likelihood and takes into account our customers setup, environment, etc.

We only add cvss scores if the customer explicitly asks for it.