An analysis of CVSS version 2 vulnerability scoring
暂无分享,去创建一个
The Common Vulnerability Scoring System (CVSS) is a specification for measuring the relative severity of software vulnerabilities. Finalized in 2007, CVSS version 2 was designed to address deficiencies found during analysis and use of the original CVSS version. This paper analyzes how effectively CVSS version 2 addresses these deficiencies and what new deficiencies it may have. This analysis is based primarily on an experiment that applied both version 1 and version 2 scoring to a large set of recent vulnerabilities. Theoretical characteristics of version 1 and version 2 scores were also examined. The results show that the goals for the changes were met, but that some changes had a negligible effect on scoring while complicating the scoring process. The changes also had unintended effects on organizations that prioritize vulnerability remediation based primarily on CVSS scores.
[1] Karen A. Scarfone,et al. Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2: Recommendations of the National Institute of Standards and Technology , 2011 .
[2] Karen Scarfone,et al. Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.
[3] Karen Scarfone,et al. Improving the Common Vulnerability Scoring System , 2007, IET Inf. Secur..