Software vulnerabilities — love em or hate em, they’re crucial to your job. Likewise, you may have a love/hate relationship with vulnerability classification and severity scoring (like CVSS v2 or any number of proprietary methods). In this talk we will look at statistics and characteristics for thousands of vulnerabilities to see if we can determine what CVSS v2 did wrong, what it did right, and what we (the CVSS v3 Special Interest Group) intend to do to fix it. We will also come away with a better understanding for why systems like CVSS are important to security practitioners, even those who’d rather be popping shells than pushing off patches whose scores are “too low to care about”.