Evaluating CVSS Base Score Using Vulnerability Rewards Programs

Abstract : CVSS Base Score and the underlying metrics have been widely used. Recently there have been attempts to validate them. Some of the researchers have questioned the CVSS metrics based on a lack of correlation with the reported exploits and attacks. In this research, we use the independent scales used by the vulnerability reward programs (VRPs) to see if they correlate with the CVSS Base Score. We examine 1559 vulnerabilities of Mozilla Firefox and Google Chrome browsers. The results show that there is a significant correlation between the VRPs severity ratings and CVSS scores, when three level rankings are used. For both approaches, the sets of vulnerabilities identified as Critical or High severity vulnerabilities include a large number of shared vulnerabilities, again suggesting mutual conformation. The results suggest that the CVSS Base Score may be a useful metric for prioritizing vulnerabilities, and the notable lack of exploits for high severity vulnerabilities may be the result of prioritized fixing of vulnerabilities.
Type de document :
Communication dans un congrès
Jaap-Henk Hoepman; Stefan Katzenbeisser. 31st IFIP International Information Security and Privacy Conference (SEC), May 2016, Ghent, Belgium. IFIP Advances in Information and Communication Technology, AICT-471, pp.62-75, 2016, ICT Systems Security and Privacy Protection. 〈10.1007/978-3-319-33630-5_5〉
Liste complète des métadonnées

Littérature citée [9 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01369542
Contributeur : Hal Ifip <>
Soumis le : mercredi 21 septembre 2016 - 10:52:20
Dernière modification le : mercredi 21 septembre 2016 - 11:42:33
Document(s) archivé(s) le : jeudi 22 décembre 2016 - 13:07:25

Fichier

 Accès restreint
Fichier visible le : 2019-01-01

Connectez-vous pour demander l'accès au fichier

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Awad Younis, Yashwant Malaiya, Indrajit Ray. Evaluating CVSS Base Score Using Vulnerability Rewards Programs. Jaap-Henk Hoepman; Stefan Katzenbeisser. 31st IFIP International Information Security and Privacy Conference (SEC), May 2016, Ghent, Belgium. IFIP Advances in Information and Communication Technology, AICT-471, pp.62-75, 2016, ICT Systems Security and Privacy Protection. 〈10.1007/978-3-319-33630-5_5〉. 〈hal-01369542〉

Partager

Métriques

Consultations de la notice

92