Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST releases NIST IR 8409: Measuring the Common Vulnerability Scoring System Base Score Equation
November 15, 2022

NIST has published NIST Internal Report (IR) 8409, Measuring the Common Vulnerability Scoring System Base Score Equation.

Calculating the severity of information technology vulnerabilities is important for prioritizing vulnerability remediation and helping to understand the risk of a vulnerability. The Common Vulnerability Scoring System (CVSS) is a widely used approach for evaluating properties that lead to a successful attack and the effects of a successful exploitation. This work evaluates the validity of the CVSS version 3 base score equation in capturing the expert opinion of its maintainers. Performing this analysis is necessary because the equation design has been questioned since it has features that are both unintuitive and unjustified by the CVSS specification. If one can show that the equation reflects CVSS expert opinion, then that study justifies the equation, and the security community can treat the equation as an opaque box that functions as described.

This work shows that the CVSS base score equation closely -- though not perfectly -- represents the CVSS maintainers' expert opinion. These findings validate that the CVSS base score equation represents the CVSS maintainers' domain knowledge to the extent described by these measurements.

Related Topics

Security and Privacy: security measurement, vulnerability management

Technologies: networks

Created November 14, 2022, Updated November 15, 2022