The bogus CVE problem

I work for companies who misconduct in that way, so the problem might spread to your company without your consent. At least I got to bill them for handling that nonsense bureaucracy.

The main flow of alerts/requests I've been handling for close to a year is composed of ... requests to add anti-XSS HTTP headers. By far. At the same time I got _zero_ status requests on the Zenbleed/Inception mayhem from this summer. The cultural gap is that wide.

In my case the problem is clearly companies who want to adopt security policies but are no trained on computer security. I can't blame them except their CTO which most of the time is totally missing the point while thinking that security is just another component that need dashboards and reports, and done.

CVE ranking is conceptually wrong, a security issue must be evaluated with context and is multi-faceted, there should never be a single figure in the first place. When talking with a dev or project manager I can educate about those issues and explain them how to handle a specific security issue in context, that's often satisfying for both parties. But then it won't bubble up to the top management and against the solidified bureaucracy they call security policy.