Is Vulnerability Report Confidence Redundant? Pitfalls Using Temporal Risk Scores

Is Vulnerability Report Confidence Redundant? Pitfalls Using Temporal Risk Scores

The Common Vulnerability Scoring System score is the de facto standard to assess risk of software vulnerabilities, with three temporal components: exploitability, remediation level, and report confidence. We discuss how the latter may be inferred from the first two, pointing practical and conceptual...

Full description

Saved in:
Bibliographic Details
Published in:IEEE security & privacy Vol. 19; no. 4; pp. 44 - 53
Main Authors: Boechat, Francois, Ribas, Gabriel, Senos, Lucas, Bicudo, Miguel, Nogueira, Mateus Schulz, Pfleger de Aguiar, Leandro, Menasche, Daniel Sadoc
Format: Magazine Article
Language:English
Published: New York IEEE 01-07-2021
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects:
Bayes methods
Decision trees
Filtering algorithms
Security
Software engineering
Uncertainty
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The Common Vulnerability Scoring System score is the de facto standard to assess risk of software vulnerabilities, with three temporal components: exploitability, remediation level, and report confidence. We discuss how the latter may be inferred from the first two, pointing practical and conceptual issues in the usage of temporal risk scores.
ISSN:1540-7993
1558-4046
DOI:10.1109/MSEC.2021.3070978