An analysis of CVSS version 2 vulnerability scoring

TLDR

The Common Vulnerability Scoring System (CVSS) is a specification for measuring the relative severity of software vulnerabilities, and CVSS version 2, finalized in 2007, was created to address deficiencies identified in the original version. The study evaluates whether CVSS v2 successfully remedies earlier shortcomings and identifies any new deficiencies. The authors compared CVSS v1 and v2 scores on a large set of recent vulnerabilities and examined the theoretical properties of both scoring systems. The study found that while CVSS v2 met its intended goals, some changes had little impact on scoring yet increased complexity, and they also produced unintended consequences for organizations that rely on CVSS for remediation prioritization.

Abstract

The Common Vulnerability Scoring System (CVSS) is a specification for measuring the relative severity of software vulnerabilities. Finalized in 2007, CVSS version 2 was designed to address deficiencies found during analysis and use of the original CVSS version. This paper analyzes how effectively CVSS version 2 addresses these deficiencies and what new deficiencies it may have. This analysis is based primarily on an experiment that applied both version 1 and version 2 scoring to a large set of recent vulnerabilities. Theoretical characteristics of version 1 and version 2 scores were also examined. The results show that the goals for the changes were met, but that some changes had a negligible effect on scoring while complicating the scoring process. The changes also had unintended effects on organizations that prioritize vulnerability remediation based primarily on CVSS scores.

References

Page 1

	Year	Citations

Page 1