back to article How good are you at scoring security vulnerabilities, really? Boffins seek infosec pros to take rating skill survey

A German academic is running a study into the effectiveness of vulnerability scores – and is hoping the research will shed more light on the occasionally controversial system. By running a survey on whether infosec bods think the Common Vulnerability Scoring System (CVSS) is a useful tool for assessing security flaws, Dr …

  1. claimed

    So there are ~99 different scores, right, from 0.0 to 10.0? Surely there are more than 99 different ways for people to screw up code. So we'll always see a 'bucket' effect, and on top of that how are you to cross reference those. Its a hard problem, no wonder there is variance.

    1. steven_t

      Bucket effect

      The bucket effect is expected. The scoring system is designed to be an assessment the severity of an issue so, obviously, different types of issues with similar severities ought to end up with the same score.

      I don't generally use the CVSS score on its own. It is worked out from other metrics, such as Access Vector and Confidentiality Impact, and I find these really useful for deciding what the potential risk is to our systems.

      We once had a security audit from a firm that ranked their results as Critical, High, Medium and Low with absolutely no consistency as to how they chose the severity. They ranked nearly everything, even things with no actual security impact, as Critical or High, and would not justify that decision. CVSS is far, far better than that arbitrary system. It isn't perfect, however, as the article explains.

      1. Halfmad

        Re: Bucket effect

        I agree, CVSS is generally one of several factors to be considered. I always take it as a starting point then look at how that particular vulnerability could/can impact the business.

        I've seen some vulnerabilities scored in the low 6s which could have impacted us far higher than many of the routine types scoring 9+ due to how the business operated.

        Anyone relying solely on the CVSS score needs to rethink their processes. It's purely a generalised indicator.

        1. 0laf

          Re: Bucket effect

          @Halfmad - This

          CVSS is useful as a baseline but it isn't a measure of risk. IT also takes no account of the aggregation of risks.

          If any infosec bod is just relying on CVSS then they're not doing 90% of the job.

          I know there is the calculator which does allow you to input some environmental factors to modify the score but it's still a long way off real life and the management of real risks.

  2. Alan J. Wylie

    CVE scores are dynamic

    The NIST provides a calculator. On their page for a particular CVE, e.g. CVE-2017-5550 click on one of the two "CVSS" versions, then on the "Base Score" button, and you can tune your score depending on your particular circumstances, e.g. external network access, Privileges Required.

    1. stiine Silver badge

      Re: CVE scores are dynamic

      No, they aren't, and your example of CVSS versions is only an indicator that the actual scoring system has gone through three major iterations.

      1. Alan J. Wylie

        Re: CVE scores are dynamic

        Did you click on "Base Score"?

  3. K

    Common Vulnerability Scoring System (CVSS) is a useful tool

    Its useful ... But it is extremely subjective.

    For example, consider a dangerous exploit in RDP that impacts Windows 10:

    1) A corporate IT team would would rate it high.

    2) A SaaS service IT team, would shrug and rate it low-medium

    3) A Russian IT team, would rate it as vokda or even champagne .

    1. Potemkine! Silver badge

      Re: Common Vulnerability Scoring System (CVSS) is a useful tool

      3) A Russian IT team, would rate it as vokda or even champagne .


  4. EnviableOne Silver badge

    which version

    now which version were the experts working on?

    theres at least 3 to choose from 2,3 or 3.1 and the maths is a nightmare

    also its wether they are base temporal or environmental too!!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like