Towards Improving CVSS
December 2018 • White Paper
Jonathan Spring, Eric Hatleback, Allen D. Householder, Art Manion, Deana Shick
This paper outlines challenges with the Common Vulnerability Scoring System (CVSS).
Software Engineering Institute
In this paper, the authors outline challenges with the Common Vulnerability Scoring System (CVSS) published standard and propose changes to improve it. This paper focuses on common misconceptions and misuses of CVSS. For an alternative system of vulnerability prioritization, see Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization.
The authors have presented a system which overcomes some of these challenges in a new publication, the Stakeholder-specific Vulnerability Categorization: https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=653459.
An updated version of "Towards Improving CVSS" has been published in IEEE Security and Privacy as "Time to Change the CVSS?" https://ieeexplore.ieee.org/document/9382369.