Hopefully this is the right place to ask a question like this.
Today I looked in the ISC2 Vulnerability Central for the CVSS score for Meltdown and Spectre. To my surprise they scored pretty high. But when I look at NIST NVD they seem to differ. My question is why they differ?
Nor sure, but I suspect that as ISC2 is using https://www.cytenna.com/technology.html then the score are different because the NVD is scoring in a certain way and Cytenna is doing something different.
It would make sense to me that these were higher up the chain even though they will take some smarts to exploit because of the ubiquity, time to patch performance impact of patch etc.
Whoever works at Cytenna can probably explain more/better.
As far as I can see, for CVE-2017-5754 the differences come down to the following:
That's a good point. I had tried to think of similar hardware issues that affect all software, and the closest I could think of was Rowhammer. I tried to dig up how it was scored,(I think CVE-2015-0565) but I haven't be able to find details.
For an overview of Meltdown and Spectre, I recommend watching the following video from
SANS Digital Forensics and Incident Response: https://www.youtube.com/watch?v=8FFSQwrLsfE