Can the Common Vulnerability Scoring System be Trusted? A Bayesian Analysis

Johnson, Pontus; Lagerström, Robert; Ekstedt, Mathias; Franke, Ulrik

doi:10.1109/tdsc.2016.2644614

Cited by 70 publications

(53 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Once the classification and evaluation work has been completed for a vulnerability identified with a CVE, the structured and quantified severity information is stored to vulnerability databases. Motivated by a recent empirical evaluation [16], this paper examines the time delays between the publication of CVEs and the usually later publication of CVSS information. The scope is restricted to NVD and the second revision of the CVSS standard.…”

Section: Introductionmentioning

confidence: 99%

“…The standard has been also incorporated into different governmental security risk, threat, and intelligence systems. Furthermore, CVSS information is used in numerous different commercial products [16], ranging from vulnerability scanners and compliance assessment tools to automated penetration testing and intrusion detection systems.…”

Section: Introductionmentioning

confidence: 99%

“…In any case, eventually the vulnerabilities accepted for archiving are published in NVD. In parallel to the coordination and archiving work related to CVEs, vulnerabilities are evaluated for their severity by the NVD team, which largely operates independently from others carrying similar evaluations [16]. Once the evaluation has been completed, the CVE-referenced vulnerability information is updated in NVD.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A look at the time delays in CVSS vulnerability scoring

Ruohonen

2019

Applied Computing and Informatics

View full text Add to dashboard Cite

This empirical paper examines the time delays that occur between the publication of Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) information attached to published CVEs. According to the empirical results based on regularized regression analysis of over eighty thousand archived vulnerabilities, (i) the CVSS content does not statistically influence the time delays, which, however, (ii) are strongly affected by a decreasing annual trend. In addition to these results, the paper contributes to the empirical research tradition of software vulnerabilities by a couple of insights on misuses of statistical methodology.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A look at the time delays in CVSS vulnerability scoring

Ruohonen

2019

Applied Computing and Informatics

View full text Add to dashboard Cite

show abstract

“…The above discussion signifies the for any security assessment CVSS is widely adopted by the different field of the research domain and for the initial stage of estimation, CVSS is an important tool for the research workers. The authors P. Johnson et al in their research work check the credibility of CVSS scorings based on five foremost databases (OSVDB, CERT-VN, NVD, X-Force, and Cisco) [16]. The outcome suggests that with the special case of some measurements, the CVSS is very dependable.…”

Section: Motivation and Related Workmentioning

confidence: 99%

Common Vulnerability Scoring System for SDN Environment

Deb¹,

Roy²

2019

IJEAT

View full text Add to dashboard Cite

The identification of component vulnerability is an important criterion for securing the networks and it is an open issue for Software Defined Network (SDN). The First.org provides an open tool namely Common Vulnerability Scoring system for identification of component vulnerability, but there is no distinctive correspondence between CVSS and SDN. With this paper, we try to identify such correspondence so that it will help network researchers to determine the network vulnerability and improve the SDN security soon. This paper also includes a comparison between the last three CVSS versions. For this comparison, one can understand what are the new features CVSS incorporating for identifying new vulnerabilities in the emerging environment

show abstract

“…In 2017 and 2018, around 14 700 and 16 500 new vulnerabilities respectively were reported. It requires both effort and knowledge to be able to evaluate these vulnerabilities, sometimes found in several different public databases, non-trivial to fuse when there is conflicting information [4].…”

Section: Introductionmentioning

confidence: 99%

Sharing of Vulnerability Information Among Companies – A Survey of Swedish Companies

Olsson

Hell

Höst

et al. 2019

2019 45th Euromicro Conference on Software Engineering and Advanced Applications (SEAA)

Self Cite

View full text Add to dashboard Cite

Software products are rarely developed from scratch and vulnerabilities in such products might reside in parts that are either open source software or provided by another organization. Hence, the total cybersecurity of a product often depends on cooperation, explicit or implicit, between several organizations. We study the attitudes and practices of companies in software ecosystems towards sharing vulnerability information. Furthermore, we compare these practices to contemporary cybersecurity recommendations. This is performed through a questionnairebased qualitative survey. The questionnaire is divided into two parts: the providers' perspective and the acquirers' perspective. The results show that companies are willing to share information with each other regarding vulnerabilities. Sharing is not considered to be harmful neither to the cybersecurity nor their business, even though a majority of the respondents consider vulnerability information sensitive. However, the companies, despite being open to sharing, are less inclined to proactively sharing vulnerability information. Furthermore, the providers do not perceive that there is a large interest in vulnerability information from their customers. Hence, the companies' overall attitude to sharing vulnerability information is passive but open. In contrast, contemporary cybersecurity guidelines recommend active disclosure and sharing among actors in an ecosystem.

show abstract

Can the Common Vulnerability Scoring System be Trusted? A Bayesian Analysis

Cited by 70 publications

References 14 publications

A look at the time delays in CVSS vulnerability scoring

A look at the time delays in CVSS vulnerability scoring

Common Vulnerability Scoring System for SDN Environment

Sharing of Vulnerability Information Among Companies – A Survey of Swedish Companies

Contact Info

Product

Resources

About