Connectedness: a dimension of security bug severity assessment for measuring uncertainty

TL;DR

The paper addresses the limitation of CVSS in handling uncertainty from multiple exploit paths and side effects by treating security bugs as sets of possible events. It introduces connectedness as a quantitative measure of how strongly a bug's behavior is linked to multiple system entities, reflecting known unknowns in severity assessment. The work defines connectedness, discusses its application to XSS-like scenarios, and discusses limitations arising from threat-model dependence and subjective judgments. Including connectedness in severity analysis aims to produce more accurate risk rankings under uncertainty and encourage threat-model-driven assessment.

Abstract

Current frameworks for evaluating security bug severity, such as the Common Vulnerability Scoring System (CVSS), prioritize the ratio of exploitability to impact. This paper suggests that the above approach measures the "known knowns" but inadequately addresses the "known unknowns" especially when there exist multiple possible exploit paths and side effects, which introduce significant uncertainty. This paper introduces the concept of connectedness, which measures how strongly a security bug is connected with different entities, thereby reflecting the uncertainty of impact and the exploit potential. This work highlights the critical but underappreciated role connectedness plays in severity assessments.