Describe the bug
Most of this comes from Karel Knibbe from Volerion making recommendations on this metric. It is worth discussion and decision to mature this Exploitation Decision Point -
There has been one thing about the Exploitation metric that stood out to me, and that I've been meaning to mention to you. Now that SSVC is in demand and my code is compiling, this seems like a good time.
The Exploitation metric prescribes a value of "PoC" for weaknesses that follow a somewhat generic, well-known exploitation vector. e.g., CWE-22 (Path Traversal). However, since knowing the type of weakness tells us nothing about where it was found or how it may be reproduced, that kind of use seems unhelpful to me.
I've seen many such vulnerabilities, but one example I could query from the database was: https://nvd.nist.gov/vuln/detail/CVE-2025-5740. You could probably see how that would make for noisy outcomes.
I'm curious to know what your thoughts on this are. Perhaps this was not meant to be taken literally, but I do believe it would be more helpful to omit this from the definition entirely. Instead, I expect the most helpful definition to regard some kind of reproduction artifact: an image that leads to a crash when opened, a set of steps that may be followed to validate (mis)behavior, etc.
I'm open to sparring with you on this, and I could potentially provide you with real-world examples, since I do have a pretty extensive dataset to query from.
Describe the bug
Most of this comes from Karel Knibbe from Volerion making recommendations on this metric. It is worth discussion and decision to mature this Exploitation Decision Point -