Improving VRSS-based vulnerability prioritization using analytic hierarchy process
Journal of Systems and Software
A preliminary analysis of vulnerability scores for attacks in wild: the ekits and sym datasets
Proceedings of the 2012 ACM Workshop on Building analysis datasets and gathering experience returns for security
WIVSS: a new methodology for scoring information systems vulnerabilities
Proceedings of the 17th Panhellenic Conference on Informatics
A novel approach to evaluate software vulnerability prioritization
Journal of Systems and Software
Hi-index | 0.00 |
The Common Vulnerability Scoring System (CVSS) is a specification for measuring the relative severity of software vulnerabilities. Finalized in 2007, CVSS version 2 was designed to address deficiencies found during analysis and use of the original CVSS version. This paper analyzes how effectively CVSS version 2 addresses these deficiencies and what new deficiencies it may have. This analysis is based primarily on an experiment that applied both version 1 and version 2 scoring to a large set of recent vulnerabilities. Theoretical characteristics of version 1 and version 2 scores were also examined. The results show that the goals for the changes were met, but that some changes had a negligible effect on scoring while complicating the scoring process. The changes also had unintended effects on organizations that prioritize vulnerability remediation based primarily on CVSS scores.