NIST logo

Publication Citation: An Analysis of CVSS Version 2 Vulnerability Scoring

NIST Authors in Bold

Author(s): Karen A. Scarfone; Peter M. Mell;
Title: An Analysis of CVSS Version 2 Vulnerability Scoring
Published: October 14, 2009
Abstract: The Common Vulnerability Scoring System (CVSS) is a specification that is used to measure the relative severity of software vulnerabilities. CVSS version 2, which was finalized in June 2007, was designed to address several deficiencies discovered during analysis and use of the original version of CVSS. This paper analyzes the new version of CVSS to determine how effectively it addresses the deficiencies in the original version and to identify any major deficiencies the new version may have. This analysis is based primarily on an experiment that applied both CVSS version 1 and version 2 scoring to a large set of recent vulnerabilities. The analysis also involved examination of the theoretical characteristics of version 1 and version 2 scores.
Conference: 5th International Workshop on Security Measurement and Metrics (MetriSec 2009)
Proceedings: Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement (ESEM '09)
Pages: pp. 516 - 525
Location: Lake Buena Vista, FL
Dates: October 14, 2009
Keywords: Common Vulnerability Scoring System (CVSS); risk assessment; vulnerability; vulnerability scoring
Research Areas: Threats & Vulnerabilities, Computer Security
DOI: http://dx.doi.org/10.1109/ESEM.2009.5314220  (Note: May link to a non-U.S. Government webpage)
PDF version: PDF Document Click here to retrieve PDF version of paper (508KB)