Skip to main content

To what extent can the vulnerability scoring system be trusted?

Blogginlägg   •   Jan 13, 2017 08:00 CET

The foreseeti researchers Pontus Johnson, Mathias Eksted and Robert Lagerström have authored an article together with Ulrik Franke with the title "Can the Common Vulnerability Scoring System be Trusted? A Bayesian Analysis"

From the abstract we learn the following:

“The Common Vulnerability Scoring System (CVSS) is the state-of-the art system for assessing software vulnerabilities. However, it has been criticized for lack of validity and practitioner relevance. In this paper, the credibility of the CVSS scoring data found in five leading databases – NVD, X-Force, OSVDB, CERT-VN, and Cisco – is assessed. A Bayesian method is used to infer the most probable true values underlying the imperfect assessments of the databases, thus circumventing the problem that ground truth is not known. It is concluded that with the exception of a few dimensions, the CVSS is quite trustworthy. The databases are relatively consistent, but some are better than others. The expected accuracy of each database for a given dimension can be found by marginalizing confusion matrices. By this measure, NVD is the best and OSVDB is the worst of the assessed databases.”

To read the entire article, visit

Kommentarer (0)

Lägg till kommentar