NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

An Analysis of CVSS Version 2 Vulnerability Scoring

Published

Author(s)

Karen A. Scarfone, Peter M. Mell

Abstract

The Common Vulnerability Scoring System (CVSS) is a specification that is used to measure the relative severity of software vulnerabilities. CVSS version 2, which was finalized in June 2007, was designed to address several deficiencies discovered during analysis and use of the original version of CVSS. This paper analyzes the new version of CVSS to determine how effectively it addresses the deficiencies in the original version and to identify any major deficiencies the new version may have. This analysis is based primarily on an experiment that applied both CVSS version 1 and version 2 scoring to a large set of recent vulnerabilities. The analysis also involved examination of the theoretical characteristics of version 1 and version 2 scores.
Proceedings Title
Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement (ESEM '09)
Conference Dates
October 14, 2009
Conference Location
Lake Buena Vista, FL
Conference Title
5th International Workshop on Security Measurement and Metrics (MetriSec 2009)
Pub Type
Conferences

Download Paper

https://doi.org/10.1109/ESEM.2009.5314220

Keywords

Common Vulnerability Scoring System (CVSS), risk assessment, vulnerability, vulnerability scoring
Cybersecurity and privacy

Citation

Scarfone, K. and Mell, P. (2009), An Analysis of CVSS Version 2 Vulnerability Scoring, Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement (ESEM '09), Lake Buena Vista, FL, [online], https://doi.org/10.1109/ESEM.2009.5314220 (Accessed October 13, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created October 14, 2009, Updated May 4, 2021
Was this page helpful?