About the different risk ratings of Anti-virus bypasses

As you may or may not know, I reported quite some Anti-virus bypasses and evasions lately. Most of them have been categorised and rated by vulnerability database maintainers, such as NIST, Secunia, X-force and others now.

I am especially interested in the risk ratings assigned to them. It is quite difficult to rate them - imo you can only rate them in a particular scenario, case by case.

The ratings couldn't be more different.

Ratings :

• Xforce : Risk Rating - Medium (Xforce only knows 3 risk ratings, High Medium or low)
• NIST : CVSS scoring of 10 (to put that in perspective, 10 is as critical as it can get)
• Secunia : Risk rating - Low

I think this reflects the current state of risk management and risk assessment pretty well. "Highly subjective" to say the least.. NIST for instance rates Confidentiality, Integrity and Availability as completely compromised. While I surely don't think bypasses deserve a 10, I don't think the risk is very low (Secunia). I would rate it similar to Xforce