Security News > 2021 > January > How good are you at scoring security vulnerabilities, really? Boffins seek infosec pros to take rating skill survey

By running a survey on whether infosec bods think the Common Vulnerability Scoring System is a useful tool for assessing security flaws, Dr Zinaida Benenson of Friedrich-Alexander Universität Erlangen-Nürnberg's IT Security Infrastructure Lab in Germany hopes to further the infosec world's understanding of how reliable the system really is.

While the survey hopes to gain up to 300 respondents, Benenson was coy about precisely what she's hoping to prove or disprove, but she did drop The Register a hint about the current state of CVSS scoring.

In preliminary research, Benenson and her fellow researchers asked a handful of infosec bods to allocate CVSS scores to 10 sample vulnerabilities, as a way of testing how consistent their scoring was.

In the decade-and-a-half since then, CVSS has become the standard at-a-glance measure of a given vulnerability's severity, with the worst reaching 10.0 on the system's ten-point scoring scale.

Scores are commonly allocated to vulnerabilities along with a Common Vulnerabilities and Exposure number, which has led to the undesirable practice of researchers "Collecting" high-severity CVEs by using dubious methods.

Referring to the table of varied CVSS scores she showed us, Benenson said: "We are not saying that CVSS experts are not skilful. We are trying to find factors behind the fact that the scores are so different. Actually, the scores are supposed to be the same across different actors; this is the idea of CVSS." .

News URL

https://go.theregister.com/feed/www.theregister.com/2021/01/08/cvss_scoring_survey/