Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

An Analysis of CVSS Version 2 Vulnerability Scoring

Published

Author(s)

Karen A. Scarfone, Peter M. Mell

Abstract

The Common Vulnerability Scoring System (CVSS) is a specification that is used to measure the relative severity of software vulnerabilities. CVSS version 2, which was finalized in June 2007, was designed to address several deficiencies discovered during analysis and use of the original version of CVSS. This paper analyzes the new version of CVSS to determine how effectively it addresses the deficiencies in the original version and to identify any major deficiencies the new version may have. This analysis is based primarily on an experiment that applied both CVSS version 1 and version 2 scoring to a large set of recent vulnerabilities. The analysis also involved examination of the theoretical characteristics of version 1 and version 2 scores.
Proceedings Title
Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement (ESEM '09)
Conference Dates
October 14, 2009
Conference Location
Lake Buena Vista, FL
Conference Title
5th International Workshop on Security Measurement and Metrics (MetriSec 2009)

Keywords

Common Vulnerability Scoring System (CVSS), risk assessment, vulnerability, vulnerability scoring

Citation

Scarfone, K. and Mell, P. (2009), An Analysis of CVSS Version 2 Vulnerability Scoring, Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement (ESEM '09), Lake Buena Vista, FL, [online], https://doi.org/10.1109/ESEM.2009.5314220 (Accessed March 29, 2024)
Created October 14, 2009, Updated May 4, 2021