CSSV3 and Compliance Checks / Hardening Guides

In the day as a security person i see things like common vulnerabilities witch are described with Common Vulnerability Scoring System Version 3.0 (CVSSv3) like Common Vulnerability Scoring System Version 3.0 Calculator . And then there are Common Hardening Guides like Windows Security Baselines Windows security baselines - Windows security | Microsoft Docs and CIS Benchmarks (for Linux,Windows,Databases,xxx) https://www.cisecurity.org/cis-benchmarks/

Would you recommend to describe the “Compliance Checks”,100-300 per system, in the CVSSv3 Vector (or is that nonsense)? For example entries in https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.0.pdf

thx :wink:

~ r4bit

I’ve never personally had a client ask for a CVSS → Hardening mapping, nor have I seen it in any report I’ve commissioned with external companies. I’m not entirely sure the effort required to do that would be worth what you’d get out of it, otherwise I’m sure I’d have come across it before.

that is the same thing what i think - its nonsense to do that. How would you prioritize 200 hardening checks?