Abstract

Since 2014, 170K+ CVEs have been published with a ~4.5x growth in yearly disclosures, and an average disclosure rate of ~80/day in 2023. The sheer volume makes it untenable for organizations to address all vulnerabilities. It is common to rely heavily on CVSS score/rating for prioritization without giving it a second thought. Being generic, CVSS has implicit tradeoffs that plague its use, and more importantly can lead to a false sense of security. We present six such empirically validated operational challenges to be on the look-out for:

C1 - Underrated severity due to CIA (Confidentiality, Integrity, Availability) aggregation. We show ~10% CVEs are potentially underrated posing significant risk. CVE-2020-8187 a 7.5 (under)rated vulnerability disclosed amid COVID crisis had the potential to bring organizations to a grinding halt.

C2 - Exploit Maturity metric leads to unmanageable operational burden. We show that 462K+ disparate data points need to be analyzed for this metric alone, even then it is a point in time accuracy at best with high probability of incorrectly lowering of score.

C3 - Lack of APT and exploitability consideration is a missed opportunity. In contrast to C2, this can be easily achieved even with incomplete data.

C4 - No consideration for Privacy as a first-class concern despite its significance. The use of generic confidentiality metric is potentially masking privacy impact in thousands of CVEs.

C5 - Inadequate dependency consideration not accounting for prerequisites is affecting the prioritization of at least 11% CVEs.

C6 - Scoring discrepancy due to formula error surfaces for specific vectors affecting 100+ CVEs.

For C1, C2, C4 and C6 we offer executable guidance on usage & monitoring for vectors and patterns to avoid getting caught out.

For C3 and C5, we propose conceptual design and call on the community for extensions to address the open challenge.