Vulnerability Severity Scoring: AN OBJECTIVE PRIORITIZATION STANDARD?

The rising number of reported vulnerabilities demands development teams quickly prioritize their security alerts. The CVSS (Common Vulnerability Scoring System) score is usually the go-to parameter for remediation prioritization, but should it be?

CVSS was updated several times over the past few years (V2 to V3, and most recently V3.1), in the hopes of achieving a measurable, objective standard that helps support all organizations and industries. However, it has also changed the definition of what a high severity vulnerability is.

We looked at over ten thousand vulnerabilities from 2016 to 2019 and checked their CVSS v2, v3.0, and v3.1 to compare the severity breakdown of vulnerabilities in each scoring version over the past four year.

The most noticeable change that we saw in the update from V2 to V3 is that scores rose substantially, since a vulnerability that would have been rated as a 7.6 under CVSS v2 could quickly find itself with a 9.8 under CVSS v30. With CVSS v3.0, teams faced a higher number of high and critical severity vulnerabilities.

Still missing are the tools to prioritize and address them, or even fully understand the vulnerabilities’ impact, on their project.