If you are a software vendor, IT administrator, or CSIRT team, you are probably using the Common Vulnerability Scoring System (CVSS) in one way or another. The CERT/CC recently published a white paper entitled Towards Improving CVSS that outlines what we consider to be major challenges with the standard and discusses some ways forward. This post is a summary of that paper; if you are interested, please review the full paper for an elaboration of the concerns outlined below.
CVSS was designed to measure the technical severity of a vulnerability but is widely misused as a means of vulnerability prioritization and assessing risk. The scoring algorithm is not well justified and lacks the transparency needed for the community to understand its intended function. Further, the misuse of CVSS as a risk score means that you are not likely learning what you thought you were learning from it. These challenges suggest that at least the following should be done:
- The CVSS-SIG (Special Interest Group) and the community should address the flaws in CVSS, not their symptoms.
- The scoring formula needs to be redone, essentially from scratch, with transparent and adequate empirical justification.
The overall task is large, but we have a few suggestions towards achieving the goal of a better CVSS. First, adequate user studies should be conducted to understand how organizations use CVSS in their risk assessments today. Secondly, an empirical study of the consistency of human scoring using CVSS is needed. These studies should be done before devising a new scoring formula to help inform its construction, and then it should be repeated on any new formula to help validate its robustness. The paper outlines a robust scoring system with the features necessary to support this end.
There are usability issues with, and formal challenges to, CVSS as it stands today. What people seem to want to know is the risk a vulnerability or flaw poses to them, or how quickly they should respond to a vulnerability. Either it should be made be made clear that CVSS reflects severity, not risk, or CVSS must be adjusted to make it reflect risk so users of CVSS can make more informed decisions. Once the CVSS’s intended usage is clarified, the challenge remains to design a scoring system that is actually reliable and transparently justified.
CERT Vulnerability Notes currently include full CVSS v2.0 scores and likely will until there is a viable alternative. The community needs to understand what the various interest groups want from CVSS, account for those human contexts, account for the various relevant technical contexts, and then transparently design a scoring algorithm that satisfactorily informs the decisions of those groups.
We have participated in the CVSS-SIG for many years and we sincerely appreciate their thoughtful feedback on earlier drafts of the paper. While the views expressed in this blog post and the paper do not necessarily represent those of the CVSS-SIG, we plan to continue to work with the SIG and the community towards improving CVSS and vulnerability prioritization in general.
This post is a collaboration of the authors of the paper: Jonathan Spring, Eric Hatleback, Allen Householder, Art Manion, and Deana Shick.