research-article

Aspect-level Information Discrepancies across Heterogeneous Vulnerability Reports: Severity, Types and Detection Methods

Authors:
Jiamou Sun

CSIRO, Australia

CSIRO, Australia

0000-0002-5212-7068
Search about this author

,
Zhenchang Xing

CSIRO & Australian National University, Australia

CSIRO & Australian National University, Australia

0000-0001-7663-1421
Search about this author

,
Xin Xia

Huawei, China

Huawei, China

0000-0002-6302-3256
Search about this author

,
Qinghua Lu

CSIRO, Australia

CSIRO, Australia

0000-0002-7783-5183
Search about this author

,
Xiwei Xu

CSIRO, Australia

CSIRO, Australia

0000-0002-2273-1862
Search about this author

,
Liming Zhu

CSIRO & University of New South Wales, Australia

CSIRO & University of New South Wales, Australia

0000-0001-5839-3765
Search about this author

ACM Transactions on Software Engineering and Methodology Volume 33 Issue 2Article No.: 49pp 1–38https://doi.org/10.1145/3624734

Published:22 December 2023Publication History

ACM Transactions on Software Engineering and Methodology

Abstract

Vulnerable third-party libraries pose significant threats to software applications that reuse these libraries. At an industry scale of reuse, manual analysis of third-party library vulnerabilities can be easily overwhelmed by the sheer number of vulnerabilities continually collected from diverse sources for thousands of reused libraries. Our study of four large-scale, actively maintained vulnerability databases (NVD, IBM X-Force, ExploitDB, and Openwall) reveals the wide presence of information discrepancies, in terms of seven vulnerability aspects, i.e., product, version, component, vulnerability type, root cause, attack vector, and impact, between the reports for the same vulnerability from heterogeneous sources. It would be beneficial to integrate and cross-validate multi-source vulnerability information, but it demands automatic aspect extraction and aspect discrepancy detection. In this work, we experimented with a wide range of NLP methods to extract named entities (e.g., product) and free-form phrases (e.g., root cause) from textual vulnerability reports and to detect semantically different aspect mentions between the reports. Our experiments confirm the feasibility of applying NLP methods to automate aspect-level vulnerability analysis and identify the need for domain customization of general NLP methods. Based on our findings, we propose a discrepancy-aware, aspect-level vulnerability knowledge graph and a KG-based web portal that integrates diversified vulnerability key aspect information from heterogeneous vulnerability databases. Our conducted user study proves the usefulness of our web portal. Our study opens the door to new types of vulnerability integration and management, such as vulnerability portraits of a product and explainable prediction of silent vulnerabilities.

REFERENCES

[1] Abubakar Muhammad, Ahmad Adil, Fonseca Pedro, and Xu Dongyan. 2021. SHARD: Fine-grained kernel specialization with context-aware hardening. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, Vancouver, B.C.Google Scholar
[2] Anonymous. 2020. Utilizing data from cvedetails.com, I created this graph to easily compare the amount of AMD and Intel vulnerabilities. https://www.reddit.com/r/Amd/comments/ek6m1q/utilizing_data_from_cvedetailscom_i_created_this/. Accessed: 2022-06-17.Google Scholar
[3] Anwar Afsah, Ahmed Abusnaina, Songqing Chen, Frank Li, and David Mohaisen. 2021. Cleaning the NVD: Compre-hensive quality assessment, improvements, and analyses. In 19th Transactions on Dependable and Secure Computing.Google Scholar
[4] Support Apple. 2020. https://support.apple.com/en-us/HT209106. Accessed: 2020-12-31.Google Scholar
[5] Biswas Priyam, Federico Alessandro Di, Carr Scott A., Rajasekaran Prabhu, Volckaert Stijn, Na Yeoul, Franz Michael, and Payer Mathias. 2017. Venerable variadic vulnerabilities vanquished. In 26th \(\lbrace\)USENIX\(\rbrace\) Security Symposium (\(\lbrace\)USENIX\(\rbrace\) Security 17). 186–198.Google Scholar
[6] Center CERT Coordination. 1991. CERT advisory CA-91:21. Published electronically athttp://www.cert.org/advisories/CA-1991-21.htmlGoogle Scholar
[7] Database CERT Coordination Center Vulnerability Notes. 2020. https://www.kb.cert.org/vuls/. Accessed: 2020-12-31.Google Scholar
[8] Chantrapornchai Chantana and Tunsakul Aphisit. 2019. Information extraction based on named entity for tourism corpus. In 2019 16th International Joint Conference on Computer Science and Software Engineering (JCSSE). IEEE, 187–192.Google ScholarCross Ref
[9] Chen YuXuan, Ding Jianwei, Li Dashuang, and Chen Zhouguo. 2021. Joint BERT model based cybersecurity named entity recognition. In 2021 The 4th International Conference on Software Engineering and Information Management. 236–242.Google ScholarDigital Library
[10] Exposures Common Vulnerabilities and. 2020. https://cve.mitre.org/index.html. Accessed: 2020-12-31.Google Scholar
[11] Enumeration Common Weakness. 2020. https://cwe.mitre.org/. Accessed: 2020-12-31.Google Scholar
[12] Service Community Attestation. 2022. https://cas.codenotary.com/#sbom. Accessed: 2022-03-31.Google Scholar
[13] Details CVE. 2023. https://www.cvedetails.com/. Accessed: 2023-05-25.Google Scholar
[14] Authorities CVE Numbering. 2023. https://www.cve.org/ProgramOrganization/CNAs. Accessed: 2023-05-25.Google Scholar
[15] Template CVE Request. 2020. http://cveproject.github.io/docs/content/key-details-phrasing.pdf. Accessed: 2020-12-31.Google Scholar
[16] Agency Cybersecurity and Infrastructure Security. 2021. Industrial Control Systems. https://us-cert.cisa.gov/ics. Accessed: 2020-12-31.Google Scholar
[17] Dependabot. 2022. https://github.com/dependabot/dependabot-core. Accessed: 2022-03-31.Google Scholar
[18] Devlin Jacob, Chang Ming-Wei, Lee Kenton, and Toutanova Kristina. 2019. BERT: Pre-training of deep bidirectional transformers for language understanding. In Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Volume 1 (Long and Short Papers). Association for Computational Linguistics, 4171–4186.Google Scholar
[19] Dong Ying, Guo Wenbo, Chen Yueqi, Xing Xinyu, Zhang Yuqing, and Wang Gang. 2019. Towards the detection of inconsistencies in public security vulnerability reports. In 28th \(\lbrace\)USENIX\(\rbrace\) Security Symposium (\(\lbrace\)USENIX\(\rbrace\) Security 19). 869–885.Google Scholar
[20] ElementTree. 2022. https://docs.python.org/3/library/xml.etree.elementtree.html. Accessed: 2022-06-17.Google Scholar
[21] Database Exploit. 2020. https://www.exploit-db.com/. Accessed: 2020-12-31.Google Scholar
[22] Feng Xuan, Liao Xiaojing, Wang XiaoFeng, Wang Haining, Li Qiang, Yang Kai, Zhu Hongsong, and Sun Limin. 2019. Understanding and securing device vulnerabilities through automated bug report analysis. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 887–903.Google Scholar
[23] Gao Chen, Zhang Xuan, and Liu Hui. 2021. Data and knowledge-driven named entity recognition for cyber security. Cybersecurity 4, 1 (2021), 1–13.Google ScholarCross Ref
[24] Ge Xinyang, Talele Nirupama, Payer Mathias, and Jaeger Trent. 2016. Fine-grained control-flow integrity for kernel software. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 179–194.Google ScholarCross Ref
[25] Gong X., Xing Z., Li X., Feng Z., and Han Z.. 2019. Joint prediction of multiple vulnerability characteristics through multi-task learning. In 2019 24th International Conference on Engineering of Complex Computer Systems (ICECCS). 31–40.Google ScholarCross Ref
[26] Guo Hao, Chen Sen, Xing Zhenchang, Li Xiaohong, Bai Yude, and Sun Jiamou. 2022. Detecting and augmenting missing key aspects in vulnerability descriptions. ACM Transactions on Software Engineering and Methodology (TOSEM) 31, 3 (2022), 1–27.Google ScholarDigital Library
[27] Han Z., Li X., Xing Z., Liu H., and Feng Z.. 2017. Learning to predict severity of software vulnerability using only vulnerability description. In 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME). 125–136.Google ScholarCross Ref
[28] Hassan Foyzul and Wang Xiaoyin. 2017. Mining readme files to support automatic building of Java projects in software repositories. In 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C). IEEE, 277–279.Google ScholarDigital Library
[29] He Hao, He Runzhi, Gu Haiqiao, and Zhou Minghui. 2021. A large-scale empirical study on Java library migrations: Prevalence, trends, and rationales. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 478–490.Google ScholarDigital Library
[30] Honnibal Matthew and Johnson Mark. 2015. An improved non-monotonic transition system for dependency parsing. In Proceedings of the 2015 Conference on Empirical Methods in Natural Language Processing. Association for Computational Linguistics, Lisbon, Portugal, 1373–1378.Google ScholarCross Ref
[31] X-Force IBM. 2020. https://exchange.xforce.ibmcloud.com/activity/list?filter=Vulnerabilities. Accessed: 2020-12-31.Google Scholar
[32] Services Internet Security. 1999. Online database x-force. Published electronically athttp://xforce.iss.net/Google Scholar
[33] Kaspersky. 2023. https://www.kaspersky.com.au/. Accessed: 2023-05-25.Google Scholar
[34] Kulkarni Milind. 2020. Our CVE Story: Using the CVE Program to Provide Reliable Vulnerability Information. https://cve.mitre.org/blog/December152020_Our_CVE_Story_Using_the_CVE_Program_to_Provide_Reliable_Vulnerability_Information.html. Accessed: 2020-12-31.Google Scholar
[35] Kusner Matt J., Sun Yu, Kolkin Nicholas I., and Weinberger Kilian Q.. 2015. From word embeddings to document distances. In Proceedings of the 32nd International Conference on International Conference on Machine Learning - Volume 37 (ICML’15). JMLR.org, 957–966.Google Scholar
[36] Lafferty John D., McCallum Andrew, and Pereira Fernando C. N.. 2001. Conditional random fields: Probabilistic models for segmenting and labeling sequence data. In Proceedings of the Eighteenth International Conference on Machine Learning (ICML ’01). Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 282–289.Google Scholar
[37] Lample Guillaume, Ballesteros Miguel, Subramanian Sandeep, Kawakami Kazuya, and Dyer Chris. 2016. Neural architectures for named entity recognition. In Proceedings of the 2016 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies. Association for Computational Linguistics, San Diego, California, 260–270.Google ScholarCross Ref
[38] Li Vector Guo, Dunn Matthew, Pearce Paul, McCoy Damon, Voelker Geoffrey M., and Savage Stefan. 2019. Reading the tea leaves: A comparative analysis of threat intelligence. In 28th USENIX Security Symposium (USENIX Security 19). 851–867.Google Scholar
[39] Lloyd Stuart. 1982. Least squares quantization in PCM. IEEE Transactions on Information Theory 28, 2 (1982), 129–137.Google ScholarDigital Library
[40] Lu Kangjie, Pakki Aditya, and Wu Qiushi. 2019. Detecting missing-check bugs via semantic-and context-aware criticalness and constraints inferences. In 28th \(\lbrace\)USENIX\(\rbrace\) Security Symposium (\(\lbrace\)USENIX\(\rbrace\) Security 19). 1769–1786.Google Scholar
[41] Ma S., Xing Z., Chen C., Chen C., Qu L., and Li G.. 2019. Easy-to-deploy API extraction by multi-level feature embedding and transfer learning. IEEE Transactions on Software Engineering (2019), 1–1.Google Scholar
[42] Mann David E. and Christey Steven M.. 1999. Towards a common enumeration of vulnerabilities. In 2nd Workshop on Research with Security Vulnerability Databases, Purdue University, West Lafayette, Indiana.Google Scholar
[43] Martin R. A.. 2003. Integrating your information security vulnerability management capabilities through industry standards (CVE OVAL). In SMC’03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483), Vol. 2.Google ScholarCross Ref
[44] Security Microsoft. 2020. https://msrc.microsoft.com/update-guide/vulnerability. Accessed: 2020-12-31.Google Scholar
[45] Mikolov Tomas, Chen Kai, Corrado Greg, and Dean Jeffrey. 2013. Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 (2013).Google Scholar
[46] Mu Dongliang, Cuevas Alejandro, Yang Limin, Hu Hang, Xing Xinyu, Mao Bing, and Wang Gang. 2018. Understanding the reproducibility of crowd-reported security vulnerabilities. In 27th \(\lbrace\)USENIX\(\rbrace\) Security Symposium (\(\lbrace\)USENIX\(\rbrace\) Security 18). 919–936.Google Scholar
[47] Database National Vulnerability. 2020. https://nvd.nist.gov/. Accessed: 2020-12-31.Google Scholar
[48] Incorporated Network Associates. 1999. Proprietary Vulnerability Database for CyberCop Scanner 2.4.Google Scholar
[49] Norton. 2023. https://au.norton.com/. Accessed: 2023-05-25.Google Scholar
[50] list Openwall oss-security mailing. 2020. https://www.openwall.com/lists/oss-security/. Accessed: 2020-12-31.Google Scholar
[51] Pennington Jeffrey, Socher Richard, and Manning Christopher. 2014. GloVe: Global vectors for word representation. In Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP). Association for Computational Linguistics, Doha, Qatar, 1532–1543.Google ScholarCross Ref
[52] Pewny Jannik, Koppe Philipp, and Holz Thorsten. 2019. Steroids for DOPed applications: A compiler for automated data-oriented programming. In 2019 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 111–126.Google ScholarCross Ref
[53] Pomonis Marios, Petsios Theofilos, Keromytis Angelos D., Polychronakis Michalis, and Kemerlis Vasileios P.. 2019. Kernel protection against just-in-time code reuse. ACM Transactions on Privacy and Security (TOPS) 22, 1 (2019), 1–28.Google ScholarDigital Library
[54] Proskurin Sergej, Momeu Marius, Ghavamnia Seyedhamed, Kemerlis Vasileios P., and Polychronakis Michalis. 2020. xMP: Selective memory protection for kernel and user space. In 2020 IEEE Symposium on Security and Privacy (SP). 584–598.Google Scholar
[55] Qiu Lin, Ru Dongyu, Long Quanyu, Zhang Weinan, and Yu Yong. 2020. QA4IE: A question answering based system for document-level general information extraction. IEEE Access 8 (2020), 29677–29689.Google ScholarCross Ref
[56] Qiu Lin, Zhou Hao, Qu Yanru, Zhang Weinan, Li Suoheng, Rong Shu, Ru Dongyu, Qian Lihua, Tu Kewei, and Yu Yong. 2018. QA4IE: A question answering based framework for information extraction. In International Semantic Web Conference. Springer, 198–216.Google ScholarDigital Library
[57] Ramsauer Ralf, Bulwahn Lukas, Lohmann Daniel, and Mauerer Wolfgang. 2020. The sound of silence: Mining security vulnerabilities from secret integration channels in open-source projects. In Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop (CCSW’20). Association for Computing Machinery, New York, NY, USA, 147–157.Google ScholarDigital Library
[58] Reimers Nils and Gurevych Iryna. 2019. Sentence-BERT: Sentence embeddings using Siamese BERT-networks. In Proceedings of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9th International Joint Conference on Natural Language Processing (EMNLP-IJCNLP). Association for Computational Linguistics, Hong Kong, China, 3982–3992.Google ScholarCross Ref
[59] Ru Dongyu, Wang Zhenghui, Qiu Lin, Zhou Hao, Li Lei, Zhang Weinan, and Yu Yong. 2020. QuAChIE: Question answering based Chinese information extraction system. In Proceedings of the 43rd International ACM SIGIR Conference on Research and Development in Information Retrieval. 2177–2180.Google ScholarDigital Library
[60] Sabetta Antonino and Bezzi M.. 2018. A practical approach to the automatic classification of security-relevant commits. 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME) (2018), 579–582.Google ScholarCross Ref
[61] Secureteam. 2022. https://secureteam.co.uk/. Accessed: 2022-03-31.Google Scholar
[62] Shokripour Ramin, Anvik John, Kasirun Zarinah M., and Zamani Sima. 2013. Why so complicated? Simple term filtering and weighting for location-based bug report assignment recommendation. In 2013 10th Working Conference on Mining Software Repositories (MSR). IEEE, 2–11.Google ScholarCross Ref
[63] Sillaber Christian, Sauerwein Clemens, Mussmann Andrea, and Breu Ruth. 2016. Data quality challenges and future research directions in threat intelligence sharing practice. In Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security. 65–70.Google ScholarDigital Library
[64] Singh. 2013. Elements of Practical Geography. Kalyani Publishers.Google Scholar
[65] Snyk. 2022. https://snyk.io/. Accessed: 2022-03-31.Google Scholar
[66] Sonatype. 2022. https://www.sonatype.com/. Accessed: 2022-03-31.Google Scholar
[67] Staicu Cristian-Alexandru, Pradel Michael, and Livshits Benjamin. 2018. SYNODE: Understanding and automatically preventing injection attacks on NODE. JS. In NDSS.Google Scholar
[68] Sun Jiamou, Xing Zhenchang, Guo Hao, Ye Deheng, Li Xiaohong, Xu Xiwei, and Zhu Liming. 2021. Generating Informative CVE Description From ExploitDB Posts by Extractive Summarization. arxiv:cs.LG/2101.01431Google Scholar
[69] Sun Jiamou, Xing Zhenchang, Lu Qinghua, Xu Xiwei, and Zhu Liming. 2022. Heterogeneous vulnerability report traceability recovery by vulnerability aspect matching. 2022 IEEE International Conference on Software Maintenance and Evolution (ICSME).Google ScholarCross Ref
[70] System Common Vulnerability Scoring. (n.d.).Google Scholar
[71] Wang Huanting, Ye Guixin, Tang Zhanyong, Tan Shin Hwei, Huang Songfang, Fang Dingyi, Feng Yansong, Bian Lizhong, and Wang Zheng. 2021. Combining graph-based learning with automated data collection for code vulnerability detection. IEEE Transactions on Information Forensics and Security 16 (2021), 1943–1958.Google ScholarDigital Library
[72] Wang Xiaoguang, Yeoh SengMing, Lyerly Robert, Olivier Pierre, Kim Sang-Hoon, and Ravindran Binoy. 2020. A framework for software diversification with \(\lbrace\)ISA\(\rbrace\) heterogeneity. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (\(\lbrace\)RAID\(\rbrace\) 2020). 427–442.Google Scholar
[73] WebMind. 2023. https://web-mind.io/cyber-security/windows-vs-linux-which-is-safer/. Accessed: 2023-05-25.Google Scholar
[74] Wu Qiushi, He Yang, McCamant Stephen, and Lu Kangjie. 2020. Precisely characterizing security impact in a flood of patches via symbolic rule comparison. In Network and Distributed System Security Symposium (NDSS).Google Scholar
[75] Wu Wei, Chen Yueqi, Xing Xinyu, and Zou Wei. 2019. \(\lbrace\)KEPLER\(\rbrace\): Facilitating control-flow hijacking primitive evaluation for Linux kernel vulnerabilities. In 28th \(\lbrace\)USENIX\(\rbrace\) Security Symposium (\(\lbrace\)USENIX\(\rbrace\) Security 19). 1187–1204.Google Scholar
[76] Xiao Hongbo, Xing Zhenchang, Li Xiaohong, and Guo Hao. 2019. Embedding and predicting software security entity relationships: A knowledge graph based approach. In International Conference on Neural Information Processing. Springer, 50–63.Google ScholarDigital Library
[77] Xu B., Ye D., Xing Z., Xia X., Chen G., and Li S.. 2016. Predicting semantically linkable knowledge in developer online forums via convolutional neural network. In 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE). 51–62.Google ScholarDigital Library
[78] Xu Meng, Qian Chenxiong, Lu Kangjie, Backes Michael, and Kim Taesoo. 2018. Precise and scalable detection of double-fetch bugs in OS kernels. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 661–678.Google ScholarCross Ref
[79] Yang Jeong, Lee Young, and McDonald Arlen P.. 2021. SolarWinds software supply chain security: Better protection with enforced policies and technologies. In International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing. Springer, 43–58.Google Scholar
[80] Ye D., Xing Z., Foo C. Y., Ang Z. Q., Li J., and Kapre N.. 2016. Software-specific named entity recognition in software engineering social content. In 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), Vol. 1. 90–101.Google ScholarCross Ref
[81] Yitagesu S., Zhang X., Feng Z., Li X., and Xing Z.. 2021. Automatic part-of-speech tagging for security vulnerability descriptions. In 18th International Conference on Mining Software Repositories (MSR).Google ScholarCross Ref
[82] You Wei, Wang Xueqiang, Ma Shiqing, Huang Jianjun, Zhang Xiangyu, Wang XiaoFeng, and Liang Bin. 2019. Profuzzer: On-the-fly input type probing for better zero-day vulnerability discovery. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 769–786.Google ScholarCross Ref
[83] You Wei, Zong Peiyuan, Chen Kai, Wang Xiaofeng, Liao Xiaojing, Bian Pan, and Liang Bin. 2017. SemFuzz: Semantics-based automatic generation of proof-of-concept exploits. 2139–2154. Google Scholar
[84] Zhang Yunyan, Xu Guangluan, Wang Yang, Lin Daoyu, Li Feng, Wu Chenglong, Zhang Jingyuan, and Huang Tinglei. 2020. A question answering-based framework for one-step event argument extraction. IEEE Access 8 (2020), 65420–65431.Google ScholarCross Ref
[85] Zhao Yutong, Xiao Lu, Babvey Pouria, Sun Lei, Wong Sunny, Martinez Angel A., and Wang Xiao. 2020. Automatically identifying performance issue reports with heuristic linguistic patterns. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 964–975.Google ScholarDigital Library

Index Terms

Aspect-level Information Discrepancies across Heterogeneous Vulnerability Reports: Severity, Types and Detection Methods
1. Security and privacy
  1. Software and application security

Recommendations

Vulnerability severity scoring and bounties: why the disconnect?
SWAN 2016: Proceedings of the 2nd International Workshop on Software Analytics

The Common Vulnerability Scoring System (CVSS) is the de facto standard for vulnerability severity measurement today and is crucial in the analytics driving software fortification. Required by the U.S. National Vulnerability Database, over 75,000 ...
Read More
Predicting the severity and exploitability of vulnerability reports using convolutional neural nets
EnCyCriS '22: Proceedings of the 3rd International Workshop on Engineering and Cybersecurity of Critical Systems

Common Vulnerability and Exposure (CVE) reports published by Vulnerability Management Systems (VMSs) are used to evaluate the severity and exploitability of software vulnerabilities. Public vulnerability databases such as NVD uses the Common ...
Read More
Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks

The Common Vulnerability Scoring System (CVSS) is a widely used and well-established standard for classifying the severity of security vulnerabilities. For instance, all vulnerabilities in the US National Vulnerability Database (NVD) are scored ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Software Engineering and Methodology Volume 33, Issue 2
February 2024
947 pages
ISSN:1049-331X
EISSN:1557-7392
DOI:10.1145/3618077
Editor:
Mauro Pezzè
USI Universitá della Svizzera italiana and SIT Schaffhausen Institute of Technology, Switzerland
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 22 December 2023
- Online AM: 16 October 2023
- Accepted: 22 August 2023
- Revised: 28 May 2023
- Received: 2 April 2022
Published in tosem Volume 33, Issue 2

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Vulnerability key aspect
information discrepancy
hetergeneous vulnerability reports
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 199
  Total Downloads
- Downloads (Last 12 months)199
- Downloads (Last 6 weeks)33
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Full Text

View this article in Full Text.

View Full Text

Aspect-level Information Discrepancies across Heterogeneous Vulnerability Reports: Severity, Types and Detection Methods

ACM Transactions on Software Engineering and Methodology

Abstract

REFERENCES

Cited By

Index Terms

Recommendations

Vulnerability severity scoring and bounties: why the disconnect?

Predicting the severity and exploitability of vulnerability reports using convolutional neural nets

Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Full Text

Caption

Aspect-level Information Discrepancies across Heterogeneous Vulnerability Reports: Severity, Types and Detection Methods

ACM Transactions on Software Engineering and Methodology

Abstract

REFERENCES

Cited By

Index Terms

Recommendations

Vulnerability severity scoring and bounties: why the disconnect?

Predicting the severity and exploitability of vulnerability reports using convolutional neural nets

Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Full Text

Share this Publication link

Share on Social Media