Ask Not Whether CVSSv3.1 and v4 Scores are Inconsistent, But What Can You Do About It
CVE/FIRST VulnCon 2025 · Main Stage
This talk, presented by Monan and Chisan from VU Amsterdam, delves into the critical issue of inconsistencies between Common Vulnerability Scoring System (CVSS) versions 3.1 and 4.0. As organizations increasingly rely on CVSS scores for vulnerability management and prioritization, discrepancies between different versions or even between different scoring entities can lead to significant operational challenges. The researchers highlight that while CVSSv4.0 aims to offer more refined guidance, its introduction has inadvertently surfaced new layers of scoring variability.
AI review
Monan and Chisan present a methodical, academically rigorous examination of cross-version CVSS inconsistencies — a real, underappreciated operational problem. The consistency rules framework is a genuine contribution with practical utility, and the empirical grounding across multiple datasets (including a private CV-SSI corpus of 6,000+ CVEs) gives this more credibility than a pure theoretical exercise. That said, it's narrow in scope, and the headline finding — that CVSS scoring is inconsistent and humans interpret metrics differently — is not exactly news to anyone who's spent a week in…