NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Measuring the Common Vulnerability Scoring System Base Score Equation

Published

Author(s)

Peter Mell, Jonathan Spring, Dave Dugal, Srividya Ananthakrishna, Francesco Casotto, Troy Fridley, Christopher Ganas, Arkadeep Kundu, Phillip Nordwall, Vijayamurugan Pushpanathan, Daniel Sommerfeld, Matt Tesauro, Christopher Turner

Abstract

This work evaluates the validity of the Common Vulnerability Scoring System (CVSS) Version 3 ''base score'' equation in capturing the expert opinion of its maintainers. CVSS is a widely used industry standard for rating the severity of information technology vulnerabilities; it is based on human expert opinion. This study is important because the equation design has been questioned since it has features that are both non-intuitive and unjustified by the CVSS specification. If one can show that the equation reflects CVSS expert opinion, then that study justifies the equation and the security community can treat the equation as an opaque box that functions as described. This work shows that the CVSS base score equation closely though not perfectly represents the CVSS maintainers' expert opinion. The CVSS specification itself provides a measurement of error called ''acceptable deviation'' (with a value of 0.5 points). In this work, the distance between the CVSS base scores and the closest consistent scoring systems (ones that completely conform to the recorded expert opinion) is measured. The authors calculate that the mean scoring distance is 0.13 points and the maximum scoring distance is 0.40 points. The acceptable deviation was also measured to be 0.20 points (lower than claimed by the specification). These findings validate that the CVSS base score equation represents the CVSS maintainers' domain knowledge to the extent described by these measurements.
Citation
NIST Interagency/Internal Report (NISTIR) - 8409
Report Number
8409
NIST Pub Series
NIST Interagency/Internal Report (NISTIR)
Pub Type
NIST Pubs

Download Paper

https://doi.org/10.6028/NIST.IR.8409
Local Download

Keywords

computer, Common Vulnerability Scoring System, error, expert opinion, measurement, measuring, metrics, network, scoring, security
Risk management, Cybersecurity measurement and Cybersecurity and privacy

Citation

Mell, P. , Spring, J. , Dugal, D. , Ananthakrishna, S. , Casotto, F. , Fridley, T. , Ganas, C. , Kundu, A. , Nordwall, P. , Pushpanathan, V. , Sommerfeld, D. , Tesauro, M. and Turner, C. (2022), Measuring the Common Vulnerability Scoring System Base Score Equation, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.8409, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=935413 (Accessed October 27, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created November 15, 2022, Updated November 29, 2022
Was this page helpful?