skip to main content
10.1145/3190619.3191694acmotherconferencesArticle/Chapter ViewAbstractPublication PageshotsosConference Proceedingsconference-collections
poster

How bad is it, really? an analysis of severity scores for vulnerabilities: poster

Published: 10 April 2018 Publication History

Abstract

To date, vulnerability research has focused on the binary classification of code as vulnerable or not vulnerable. To better understand the conditions in which vulnerabilities occur, researchers must consider the severity of these vulnerabilities in addition to a binary classification system. To explore this issue, we mined 2,979 publicly disclosed vulnerabilities from Fedora 24 and 25. We then found severity scores from the Common Vulnerability Scoring System (CVSS) and plotted the distribution of these vulnerabilities. We found that publicly scored vulnerabilities skew high, with few vulnerabilities rated lower than a 5. We then explore other potential issues with the use of CVSS in practice, such as imbalances in Confidentiality, Availability, and Integrity scores.

References

[1]
Riccardo Scandariato, James Walden, Aram Hovsepyan, and Wouter Joosen. 2014. Predicting vulnerable software components via text mining. IEEE Transactions on Software Engineering 40, 10 (2014), 993--1006.
[2]
Christopher Theisen, Kim Herzig, Brendan Murphy, and Laurie Williams. 2017. Risk-based attack surface approximation: how much data is enough?. In Software Engineering: Software Engineering in Practice Track (ICSE-SEIP), 2017 IEEE/ACM 39th International Conference on. IEEE, 273--282.

Cited By

View all
  • (2019)Container Based Analysis Tool for Vulnerability Prioritization in Cyber Security Systems2019 21st International Conference on Transparent Optical Networks (ICTON)10.1109/ICTON.2019.8840441(1-4)Online publication date: Jul-2019
  • (2018)BP: Profiling Vulnerabilities on the Attack Surface2018 IEEE Cybersecurity Development (SecDev)10.1109/SecDev.2018.00022(110-119)Online publication date: Sep-2018

Index Terms

  1. How bad is it, really? an analysis of severity scores for vulnerabilities: poster

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Other conferences
      HoTSoS '18: Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security
      April 2018
      163 pages
      ISBN:9781450364553
      DOI:10.1145/3190619
      • General Chairs:
      • Munindar Singh,
      • Laurie Williams,
      • Program Chairs:
      • Rick Kuhn,
      • Tao Xie
      Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

      Sponsors

      • National Security Agency: National Security Agency

      In-Cooperation

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 10 April 2018

      Check for updates

      Author Tags

      1. metrics
      2. severity
      3. vulnerabilities

      Qualifiers

      • Poster

      Conference

      HoTSoS '18
      Sponsor:
      • National Security Agency
      HoTSoS '18: Symposium and Bootcamp
      April 10 - 11, 2018
      North Carolina, Raleigh

      Acceptance Rates

      Overall Acceptance Rate 34 of 60 submissions, 57%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)5
      • Downloads (Last 6 weeks)0
      Reflects downloads up to 17 Jan 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2019)Container Based Analysis Tool for Vulnerability Prioritization in Cyber Security Systems2019 21st International Conference on Transparent Optical Networks (ICTON)10.1109/ICTON.2019.8840441(1-4)Online publication date: Jul-2019
      • (2018)BP: Profiling Vulnerabilities on the Attack Surface2018 IEEE Cybersecurity Development (SecDev)10.1109/SecDev.2018.00022(110-119)Online publication date: Sep-2018

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media