U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

Secure websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to our website. Please do not share sensitive information with us.

NISTIR 8409 (Draft)

Measuring the Common Vulnerability Scoring System Base Score Equation

Date Published: June 8, 2022
Comments Due: July 29, 2022 (public comment period is CLOSED)
Email Questions to: ir8409-comments@nist.gov

Author(s)

Peter Mell (NIST), Jonathan Spring (CERT/CC at Carnegie Mellon University), Srividya Ananthakrishna (Huntington Ingalls Industries), Francesco Casotto (Cisco), Dave Dugal (Juniper), Troy Fridley (AcuityBrands), Christopher Ganas (Palo Alto Networks), Arkadeep Kundu (Cisco), Phillip Nordwall (Dell), Vijayamurugan Pushpanathan (Schneider Electric), Daniel Sommerfeld (Microsoft), Matt Tesauro (Open Web Application Security Project), Christopher Turner (NIST)

Announcement

Calculating the severity of information technology vulnerabilities is important for prioritizing vulnerability remediation and helping to understand the risk of a vulnerability. The Common Vulnerability Scoring System (CVSS) is a widely used approach to evaluating properties that lead to a successful attack and the effects of a successful exploitation. CVSS is managed under the auspices of the Forum of Incident Response and Security Teams (FIRST) and is maintained by the CVSS Special Interest Group (SIG). Unfortunately, ground truth upon which to base the CVSS measurements has not been available. Thus, CVSS SIG incident response experts maintain the equations by leveraging CVSS SIG human expert opinion.

This work evaluates the accuracy of the CVSS “base score” equations and shows that they represent the CVSS maintainers' expert opinion to the extent described by these measurements. NIST requests feedback on the approach, the significance of the results, and any CVSS measurements that should have been conducted but were not included within the initial scope of this work. Finally, NIST requests comments on sources of data that could provide ground truth for these types of measurements.

NOTE: A call for patent claims is included on page iv of this draft. For additional information, see Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

 

Abstract

Keywords

computer; Common Vulnerability Scoring System; error; expert opinion; measurement; measuring; metrics; network; scoring; security
Control Families

None selected

Documentation

Publication:
NISTIR 8409 (Draft) (DOI)
Local Download

Supplemental Material:
None available

Document History:
06/08/22: NISTIR 8409 (Draft)

Topics

Security and Privacy
security measurement; vulnerability management

Technologies
networks