Evaluating CVSS Base Score Using Vulnerability Rewards Programs
نویسندگان
چکیده
CVSS Base Score and the underlying metrics have been widely used. Recently there have been attempts to validate them. Some of the researchers have questioned the CVSS metrics based on a lack of correlation with the reported exploits and attacks. In this research, we use the independent scales used by the vulnerability reward programs (VRPs) to see if they correlate with the CVSS Base Score. We examine 1559 vulnerabilities of Mozilla Firefox and Google Chrome browsers. The results show that there is a significant correlation between the VRPs severity ratings and CVSS scores, when three level rankings are used. For both approaches, the sets of vulnerabilities identified as Critical or High severity vulnerabilities include a large number of shared vulnerabilities, again suggesting mutual conformation. The results suggest that the CVSS Base Score may be a useful metric for prioritizing vulnerabilities, and the notable lack of exploits for high severity vulnerabilities may be the result of prioritized fixing of vulnerabilities.
منابع مشابه
System - Vulnerabilities #1 - Acos 3.x, 4.x
Item # Vulnerability ID Score Source Score Summary 1 CVE-2015-2059 CVSS 2.0 7.5 High libidn: out-of-bounds read with stringprep on invalid UTF-8. [1] 2 CVE-2011-1425 CVSS 2.0 7.5 High xmlsec1: arbitrary file creation when verifying signatures [2] 3 CVE-2015-7696 CVSS 3.0 6.8 Med unzip: Heap overflow and DoS in 6.0 [3] 4 CVE-2014-9471 CVSS 2.0 7.5 High coreutils: memory corruption flaw in parse_...
متن کاملInformation Security Assessment by Quantifying Risk Level of Network Vulnerabilities
With increasing dependency on IT infrastructure, the main objective of a system administrator is to maintain a stable and secure network, with ensure that the network is robust enough against malicious network users like attackers and intruders. Security risk management provides way to manage the growing threats to infrastructures or system. This paper proposes a framework for risk level estima...
متن کاملMy Software has a Vulnerability, should I worry?
(U.S) Rule-based policies to mitigate software risk suggest to use the CVSS score to measure the individual vulnerability risk and act accordingly: an HIGH CVSS score according to the NVD (National (U.S.) Vulnerability Database) is therefore translated into a “Yes”. A key issue is whether such rule is economically sensible, in particular if reported vulnerabilities have been actually exploited ...
متن کاملEstimating the Assessment Difficulty of CVSS Environmental Metrics: An Experiment
[Context] The CVSS framework provides several dimensions to score vulnerabilities. The environmental metrics allow security analysts to downgrade or upgrade vulnerability scores based on a company’s computing environments and security requirements. [Question] How difficult is for a human assessor to change the CVSS environmental score due to changes in security requirements (let alone technical...
متن کاملOn Computing Enterprise IT Risk Metrics
External Posting Date: February 21, 2011 [Fulltext] Approved for External Publication Internal Posting Date: February 21, 2011 [Fulltext] On Computing Enterprise IT Risk Metrics Sandeep Bhatt, William Horne, Prasad Rao HP Laboratories HPL-2011-26 Assessing the vulnerability of large heterogeneous systems is crucial to IT operational decisions such as prioritizing the deployment of security pa...
متن کامل