Vulnerability Haruspicy: Using Woo To Confirm Your Biases
Tod Beardsley
NorthSec 2025 · Day 2 · Ville-Marie
Tod Beardsley of runZero dissects the three dominant vulnerability scoring systems — CVSS, EPSS, and SSVC — with the same sceptical rigor he would apply to reading sheep livers. His central argument: each system produces a kind of structured confirmation bias that feels like science, practitioners misuse all three in ways their designers did not intend, and the most actionable information in CVSS is buried in the vectors rather than the headline score. A companion paper accompanies the talk. ---
AI review
runZero's Tod Beardsley dissects CVSS, EPSS, and SSVC with empirical data from 76 days of CVE publications, exposes the mathematical compression of CVSS scores, argues for reading vectors over numbers, and synthesizes how practitioners should actually combine all three systems.