CypherCon 2024

Styrofoam in a Landfill: CVSS Never Changes

Jack Hatwick


“The days of “patch all the things” or “just patch the criticals” is over. These old practices no longer serve modern enterprise environments well. Zero days are now a common monthly and sometimes weekly occurrence, non-zero days are being weaponized faster than ever, and attackers continue to develop malware and exploits for old CVEs. Yet CVSS scores NEVER change. We have to change our methods, processes, and mindset to keep up.


Importance: This is NOT a vendor talk. This is a perspective of someone who has had to build 3 vulnerability management programs from scratch and has been inundated with CVSS Critical fatigue and scoring methods that don’t really give one an objective criteria for prioritizing issues to fix.

After this talk, audience members will have new ideas and concepts they can apply with no need for extra commercial tooling, though there are tools that can make the job easier.”

Jack Hatwick

CVSS Scores never change!

0DDJ0BB has been Blue since 2013. He has quickly risen from the ranks as an engineer, consultant, IR analyst, Vulnerability Management Lead, and Senior Director.. His background in education, bio-sciences, finance, retail, manufacturing, and healthcare give him a unique view on what it takes to build an InfoSec program given limited resources. He is host of the Glass of 0J YouTube Channel and is a Founding member of CircleCityCon.