Watch the stream
Vulnerability scoring is supposed to bring order to the chaos of risk management, but in practice, it can feels more like reading tarot cards or poking at entrails than applying science. CVSS performs monkey math to force fractal bell curves, EPSS tries to predict exploitation with statistical black magicks, and SSVC ditches math entirely in favor of structured gut feelings.
Meanwhile, defenders mix and match shortcuts — KEV lists, vendor advisories, and lived experience — to separate the truly urgent from the merely annoying. But are we actually making better risk decisions, or just using these frameworks to justify what we were going to do anyway?
This talk will dig into the strengths, weaknesses, and absurdities of CVSS, EPSS, and SSVC, comparing them to the reality of how security teams actually handle vulnerabilities. Tod will explore where these models help, where they mislead, and whether any of them are meaningfully better than rolling a D20 saving throw vs exploitation. Expect debate, disagreements, and plenty of astrology jokes.