Litcius/Paper detail

An Investigation into Inconsistency of Software Vulnerability Severity across Data Sources

Roland Croft, M. Ali Babar, Li Li

20222022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)21 citationsDOI

Abstract

Software Vulnerability (SV) severity assessment is a vital task for informing SV remediation and triage. Ranking of SV severity scores is often used to advise prioritization of patching efforts. However, severity assessment is a difficult and subjective manual task that relies on expertise, knowledge, and standardized reporting schemes. Consequently, different data sources that perform independent analysis may provide conflicting severity rankings. Inconsistency across these data sources affects the reliability of severity assessment data, and can consequently impact SV prioritization and fixing. In this study, we investigate severity ranking inconsistencies over the SV reporting lifecycle. Our analysis helps characterize the nature of this problem, identify correlated factors, and determine the impacts of inconsistency on downstream tasks. Our findings observe that SV severity often lacks consideration or is underestimated during initial reporting, and such SVs consequently receive lower prioritization. We identify six potential attributes that are correlated to this misjudgment, and show that inconsistency in severity reporting schemes can severely degrade the performance of downstream severity prediction by up to 77%. Our findings help raise awareness of SV severity data inconsistencies and draw attention to this data quality problem. These insights can help developers better consider SV severity data sources, and improve the reliability of consequent SV prioritization. Furthermore, we encourage researchers to provide more attention to SV severity data selection.

Topics & Concepts

PrioritizationRanking (information retrieval)Computer scienceReliability (semiconductor)Task (project management)Vulnerability (computing)TriageQuality (philosophy)Data miningRisk analysis (engineering)Data scienceInformation retrievalMedicineEngineeringProcess managementComputer securityMedical emergencyQuantum mechanicsPhilosophySystems engineeringEpistemologyPhysicsPower (physics)Software Engineering ResearchSoftware Reliability and Analysis ResearchWeb Application Security Vulnerabilities
An Investigation into Inconsistency of Software Vulnerability Severity across Data Sources | Litcius