Shedding Light on CVSS Scoring Inconsistencies: A User-Centric Study on Evaluating Widespread Security Vulnerabilities
Julia Wunder, Andreas Kurtz, Christian Eichenmüller, Freya Gassmann, Zinaida Benenson
IEEE Symposium on Security and Privacy 2024 · Day 1 · Continental Ballroom 4
The Common Vulnerability Scoring System (**CVSS**), maintained by FIRST, is a foundational tool for organizations worldwide in their vulnerability management processes. It provides a standardized method to calculate a numerical score for a vulnerability, indicating its severity and guiding prioritization efforts. However, a significant challenge arises when different evaluators assess the same vulnerability: the resulting CVSS scores often diverge, a phenomenon that directly contradicts CVSS documentation, which states scores should be agnostic. This talk, presented by Julia Wunder, delves into a comprehensive user-centric study investigating the consistency of CVSS version 3.1 evaluations.
AI review
This talk presents a rigorously empirical study exposing critical inconsistencies in CVSS 3.1 scoring, identifying specific problematic metrics like Scope and User Interaction. It proves that despite its widespread use, CVSS's 'agnostic' premise is fundamentally broken in practice, with profound implications for vulnerability prioritization and resource allocation. A necessary, data-driven gut check for anyone relying on CVSS.