Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SecScore: Enhancing the CVSS Threat Metric Group with Empirical Evidences

Miguel Santana, Vinicius V. Cogo, Alan Oliveira de Sá

TL;DR

SecScore addresses the problem that CVSS’s Threat metric does not capture time-varying exploitability in a data-driven way. It introduces $E_S(t) = E_{min} + (E_{max}-E_{min}) \times F(t; \mu, \lambda, \kappa)$ based on the asymmetric Laplace CDF $F$, to convert exploit maturity into a time-dependent factor that updates the Temporal and Environmental scores $S_T(t)$ and $S_E(t)$, while remaining compatible with CVSS v3.1 and v4. Contributions include an empirical study of exploit likelihood across 28 vulnerability profiles, a concrete SecScore formulation, and an experimental evaluation showing timeliness in vulnerability prioritisation. Findings indicate that SecScore enables earlier and more nuanced prioritisation than CVSS alone and is adaptable to organisational contexts. Overall, SecScore supports proactive remediation in risk-based vulnerability management by embedding empirically grounded time dynamics into CVSS scoring.

Abstract

Background: Timely prioritising and remediating vulnerabilities are paramount in the dynamic cybersecurity field, and one of the most widely used vulnerability scoring systems (CVSS) does not address the increasing likelihood of emerging an exploit code. Aims: We present SecScore, an innovative vulnerability severity score that enhances CVSS Threat metric group with statistical models from empirical evidences of real-world exploit codes. Method: SecScore adjusts the traditional CVSS score using an explainable and empirical method that more accurately and promptly captures the dynamics of exploit code development. Results: Our approach can integrate seamlessly into the assessment/prioritisation stage of several vulnerability management processes, improving the effectiveness of prioritisation and ensuring timely remediation. We provide real-world statistical analysis and models for a wide range of vulnerability types and platforms, demonstrating that SecScore is flexible according to the vulnerability's profile. Comprehensive experiments validate the value and timeliness of SecScore in vulnerability prioritisation. Conclusions: SecScore advances the vulnerability metrics theory and enhances organisational cybersecurity with practical insights.

SecScore: Enhancing the CVSS Threat Metric Group with Empirical Evidences

TL;DR

SecScore addresses the problem that CVSS’s Threat metric does not capture time-varying exploitability in a data-driven way. It introduces based on the asymmetric Laplace CDF , to convert exploit maturity into a time-dependent factor that updates the Temporal and Environmental scores and , while remaining compatible with CVSS v3.1 and v4. Contributions include an empirical study of exploit likelihood across 28 vulnerability profiles, a concrete SecScore formulation, and an experimental evaluation showing timeliness in vulnerability prioritisation. Findings indicate that SecScore enables earlier and more nuanced prioritisation than CVSS alone and is adaptable to organisational contexts. Overall, SecScore supports proactive remediation in risk-based vulnerability management by embedding empirically grounded time dynamics into CVSS scoring.

Abstract

Background: Timely prioritising and remediating vulnerabilities are paramount in the dynamic cybersecurity field, and one of the most widely used vulnerability scoring systems (CVSS) does not address the increasing likelihood of emerging an exploit code. Aims: We present SecScore, an innovative vulnerability severity score that enhances CVSS Threat metric group with statistical models from empirical evidences of real-world exploit codes. Method: SecScore adjusts the traditional CVSS score using an explainable and empirical method that more accurately and promptly captures the dynamics of exploit code development. Results: Our approach can integrate seamlessly into the assessment/prioritisation stage of several vulnerability management processes, improving the effectiveness of prioritisation and ensuring timely remediation. We provide real-world statistical analysis and models for a wide range of vulnerability types and platforms, demonstrating that SecScore is flexible according to the vulnerability's profile. Comprehensive experiments validate the value and timeliness of SecScore in vulnerability prioritisation. Conclusions: SecScore advances the vulnerability metrics theory and enhances organisational cybersecurity with practical insights.
Paper Structure (21 sections, 18 equations, 11 figures, 2 tables)

This paper contains 21 sections, 18 equations, 11 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Context and Background
  3. Vulnerability Management Processes
  4. Common Vulnerability Scoring System
  5. Related Work
  6. Temporal and Dynamic Scoring in CVSS
  7. ML Approaches for Vulnerability Scoring
  8. Predictive and Exploitability Modeling
  9. Statistical Relational Learning Approaches
  10. Emerging Trends and Open Challenges
  11. SecScore
  12. Evaluation
  13. Experimental Datasets
  14. Statistical Analysis on Publicly-Available Vulnerabilities
  15. SecScore Effect on Vulnerability Prioritisation
  16. ...and 6 more sections

Figures (11)

  • Figure 1: Statistics on the yearly published vulnerabilities and exploit maturity in VulDB vuldb from $2000$ to $2023$.
  • Figure 2: CVSS$_{v3.1}$ metrics overview and equations.
  • Figure 3: SecScore metrics and equations applied to CVSS$_{v3.1}$.
  • Figure 4: SecScore metrics and equations applied to CVSS$_{v4}$.
  • Figure 5: Histogram of the time between the Exploit Code date and the CVE publication date.
  • ...and 6 more figures