Exploit Maturity: Your New Best Friend in CVSS
CVE/FIRST VulnCon 2025 · Main Stage
In her VulnCon talk, "Exploit Maturity: Your New Best Friend in CVSS," Shelby Cunningham, a member of GitHub's advisory database curation team and a CNA (Common Vulnerabilities and Exposures Numbering Authority), delves into the critical role of the **Exploit Maturity (E)** metric in the new CVSS 4.0 framework. Cunningham argues that this specific metric is an invaluable tool for vulnerability managers, maintainers, and consumers alike, addressing key challenges posed by the transition from CVSS 3.1 to 4.0.
AI review
A competent, practitioner-focused walkthrough of how the Exploit Maturity metric works in CVSS 4.0, delivered by someone who clearly does this work every day. Cunningham brings genuine operational credibility — she's not theorizing, she's describing the decisions she makes curating CVE records for GitHub's advisory database. The CVE-2023-39363 case study is the talk's strongest moment, illustrating a real maintainer conversation and a concrete scoring outcome. The problem is that this is a features-and-examples talk, not a research talk. It explains a documented CVSS 4.0 mechanism, works…