CVSS

The new CVSS version 2.0 was released in August of 2007 (OK, I'm a little behind) and I was very disappointed that the environmental score was not changed to include a parameter for the criticality of the asset in question. The environmental score is a large determinant of the final score, but it does not take into account the criticality of the asset in question. Yes, there may only be 4 of our systems affected by the latest sploit, but if they are your most critical e-commerce servers, then a low environmental score is not warranted in this situation. I like the CVSS scoring system as a means to prioritize risks for patching purposes, but the environmental score needs further work IMHO