The scores do fail though - they don't encompass enough information. They can't encompass enough information because something that is critical in one sense (e.g., and making shit up here, Java listening to the internet) might not be in another (e.g. Java running on specific scientific data in an airgapped environment). Security is always situation and risk-appetite dependent. No number can encompass all that.
The scores do fail though - they don't encompass enough information. They can't encompass enough information because something that is critical in one sense (e.g., and making shit up here, Java listening to the internet) might not be in another (e.g. Java running on specific scientific data in an airgapped environment). Security is always situation and risk-appetite dependent. No number can encompass all that.