Title :
An analysis of CVSS version 2 vulnerability scoring
Author :
Scarfone, Karen ; Mell, Peter
Abstract :
The Common Vulnerability Scoring System (CVSS) is a specification for measuring the relative severity of software vulnerabilities. Finalized in 2007, CVSS version 2 was designed to address deficiencies found during analysis and use of the original CVSS version. This paper analyzes how effectively CVSS version 2 addresses these deficiencies and what new deficiencies it may have. This analysis is based primarily on an experiment that applied both version 1 and version 2 scoring to a large set of recent vulnerabilities. Theoretical characteristics of version 1 and version 2 scores were also examined. The results show that the goals for the changes were met, but that some changes had a negligible effect on scoring while complicating the scoring process. The changes also had unintended effects on organizations that prioritize vulnerability remediation based primarily on CVSS scores.
Keywords :
software metrics; CVSS version 2; common vulnerability scoring system; software vulnerabilities; vulnerability remediation; Data security; Databases; Equations; Information security; NIST; National security; Performance analysis; Performance evaluation; Software engineering; Software measurement;
Conference_Titel :
Empirical Software Engineering and Measurement, 2009. ESEM 2009. 3rd International Symposium on
Conference_Location :
Lake Buena Vista, FL
Print_ISBN :
978-1-4244-4842-5
Electronic_ISBN :
1938-6451
DOI :
10.1109/ESEM.2009.5314220
