I’m not saying throw it out, but relying solely on CVSS can be misleading. For example, take a high-severity vulnerability in a system that’s isolated and heavily firewalled. It’s less urgent than a medium-severity issue in a core business application.
