NIST has published NIST Internal Report (IR) 8409, Measuring the Common Vulnerability Scoring System Base Score Equation.
Calculating the severity of information technology vulnerabilities is important for prioritizing vulnerability remediation and helping to understand the risk of a vulnerability. The Common Vulnerability Scoring System (CVSS) is a widely used approach for evaluating properties that lead to a successful attack and the effects of a successful exploitation. This work evaluates the validity of the CVSS version 3 base score equation in capturing the expert opinion of its maintainers. Performing this analysis is necessary because the equation design has been questioned since it has features that are both unintuitive and unjustified by the CVSS specification. If one can show that the equation reflects CVSS expert opinion, then that study justifies the equation, and the security community can treat the equation as an opaque box that functions as described.
This work shows that the CVSS base score equation closely -- though not perfectly -- represents the CVSS maintainers' expert opinion. These findings validate that the CVSS base score equation represents the CVSS maintainers' domain knowledge to the extent described by these measurements.
