|
|
Subscribe / Log in / New account

A turning point for CVE numbers

A turning point for CVE numbers

Posted Feb 15, 2024 7:16 UTC (Thu) by marcH (subscriber, #57642)
Parent article: A turning point for CVE numbers

> CVE numbers have become a target in their own right; following Goodhart's law, they would appear to have lost much of their value as a result.

Thank you for the Goodhart reference. Like most people I had seen many examples of this law but I could not yet see the forest for the trees and now I'm finally connecting all those dots.

Typical release rules like "no more than X bugs of priority Y" always felt subjective and artificial but now I understand exactly why. Priorities are by definition _relative_, so how could such rules make sense? If anything these rules should look at some absolute "severity", not a relative "priority", right? But in reality, the use of the word "priority" is a incredibly honest admission of Goodhart's law :-)

From at least that particular "metrics" perspective, security bugs are indeed just like other bugs.

to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds