NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities

Published

Author(s)

Elizabeth LeMay, Peter Mell, Karen Scarfone

Abstract

The Common Misuse Scoring System (CMSS) is a set of measures of the severity of software feature misuse vulnerabilities. A software feature is a functional capability provided by software. A software feature misuse vulnerability is a vulnerability in which the feature also provides an avenue to compromise the security of a system. Such vulnerabilities are present when the trust assumptions made when designing software features can be abused in ways that violates security. Misuse vulnerabilities allow attackers to use for malicious purposes the functionality that was intended to be beneficial. CMSS is derived from the Common Vulnerability Scoring System (CVSS), which was developed to measure the severity of vulnerabilities due to software flaws. CMSS can assist organizations in making sound decisions as to how software feature misuse vulnerabilities should be addressed and can provide data to be used in quantitative assessments of the overall security posture of a system. This report defines proposed measures for CMSS and equations to be used to combine the measures into severity scores for each vulnerability. The report also provides examples of how CMSS measures and scores would be determined for selected software feature misuse vulnerabilities.
Citation
NIST Interagency/Internal Report (NISTIR) - 7864
Report Number
7864
NIST Pub Series
NIST Interagency/Internal Report (NISTIR)
Pub Type
NIST Pubs

Download Paper

https://doi.org/10.6028/NIST.IR.7864
Local Download

Keywords

security measurement, trust misuse, vulnerability measurement, vulnerability scoring
Information technology and Cybersecurity and privacy

Citation

LeMay, E. , Mell, P. and Scarfone, K. (2012), The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.7864, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=910230 (Accessed October 6, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created July 9, 2012, Updated October 12, 2021
Was this page helpful?