The Common Vulnerability Scoring System (CVSS) is a specification that is used to measure the relative severity of software vulnerabilities. CVSS version 2, which was finalized in June 2007, was designed to address several deficiencies discovered during analysis and use of the original version of CVSS. This paper analyzes the new version of CVSS to determine how effectively it addresses the deficiencies in the original version and to identify any major deficiencies the new version may have. This analysis is based primarily on an experiment that applied both CVSS version 1 and version 2 scoring to a large set of recent vulnerabilities. The analysis also involved examination of the theoretical characteristics of version 1 and version 2 scores.
Proceedings Title: Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement (ESEM '09)
Conference Dates: October 14, 2009
Conference Location: Lake Buena Vista, FL
Conference Title: 5th International Workshop on Security Measurement and Metrics (MetriSec 2009)
Pub Type: Conferences
Common Vulnerability Scoring System (CVSS), risk assessment, vulnerability, vulnerability scoring