Litcius/Paper detail

Time to Change the CVSS?

Jonathan Spring, Eric Hatleback, Allen D. Householder, Art Manion, Deana Shick

2021IEEE Security & Privacy45 citationsDOI

Abstract

According to its creators, the Common Vulnerability Scoring System (CVSS) "provides a way to capture the principal characteristics of a vulnerability ... reflecting its severity ... to help organizations properly assess and prioritize their vulnerability management processes." <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">1</sup> However, the CVSS scoring algorithm is not justified, either formally or empirically. According to the specification, using CVSS directly as a risk score is a mistake. Yet some compliance bodies recommend such misuse explicitly, for example, the U.S. government and the global payment card industry. The CVSS is suggested for misuse by federal civilian departments and agencies via National Institute of Standards and Technology (NIST) guidance (for example, Special Publications 800-115, page 7-4 and 800-40r3, page 4). PCI Data Security Standard requires such misuse in, for example, the regulation on Approved Scanning Vendors (v3). But even those organizations that use CVSS to "properly assess and prioritize their vulnerability management processes" are using unreliable output. We argue that the current CVSS version is still inadequate for both its intended purpose and as a proxy for risk to a vulnerable system. This article will summarize the ways the CVSS formula is unjustified and the ways it fails to properly inform vulnerability management before suggesting a way forward to reduce these problems.

Topics & Concepts

MistakeVulnerability (computing)Computer scienceVulnerability assessmentComputer securityRisk managementRisk analysis (engineering)BusinessPsychological interventionMedicineLawPolitical scienceFinancePsychiatryInformation and Cyber SecurityAdvanced Malware Detection TechniquesSpam and Phishing Detection