Towards Improving CVSS

December 4, 2018 • White Paper

By

Jonathan Spring, Eric Hatleback, Allen D. Householder, Art Manion, and Deana Shick

This paper outlines challenges with the Common Vulnerability Scoring System (CVSS).

Publisher

Software Engineering Institute

Subjects

Security Vulnerabilities

Abstract

In this paper, the authors outline challenges with the Common Vulnerability Scoring System (CVSS) published standard and propose changes to improve it. This paper focuses on common misconceptions and misuses of CVSS. For an alternative system of vulnerability prioritization, see Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization.

The authors have presented a system which overcomes some of these challenges in a new publication, the Stakeholder-specific Vulnerability Categorization: https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=653459.

An updated version of "Towards Improving CVSS" has been published in IEEE Security and Privacy as "Time to Change the CVSS?" https://ieeexplore.ieee.org/document/9382369.

Software Engineering Institute