Overview and Challenges of CVSS#
This section outlines CVSS (Common Vulnerability Scoring System), an evaluation metric for vulnerabilities, from the perspective of vulnerability management.
Challenges of the CVSS Base Score#
Generally, risk is evaluated as the combination of "vulnerability" × "threat" × "business impact". This way of thinking can also be applied to risk judgment in vulnerability response.
Vulnerability information includes a metric called the CVSS Base Score, which indicates the severity of the vulnerability itself as a number from 0 to 10. Many companies adopt a policy that "vulnerabilities with a CVSS score of 7 or higher should be addressed", but in actual operation this criterion is not sufficient. This is because the CVSS Base Score indicates information about the vulnerability itself and does not include information such as the actual "threat" or "environment".
For reference, the average score of all CVEs is "7.6", so if every vulnerability with a CVSS Base Score of 7 or higher had to be addressed, more than half of them would be mandatory to address. This information is based on data from "CVEdetails.com".

The Limits of CVSS-Based Triage According to Research#
Furthermore, there is research showing that an operational approach based solely on the CVSS Base Score is little different from responding at random. On the other hand, there is also research showing that only 5% of all vulnerabilities are actually exploited in attacks. Therefore, we operators need to judge risk by considering not only the CVSS Base Score but also other information, and to select the vulnerabilities that need to be addressed.
- An Approach to Discover and Assess Vulnerability Severity Automatically in Cyber-Physical Systems
- Relying on CVSS alone is risky for vulnerability management
- Jacobs et al.(2020) Jay Jacobs, Sasha Romanosky, Idris Adjerid, and Wade Baker. 2020. Improving vulnerability remediation through better exploit prediction. Journal of Cybersecurity 6, 1 (2020), tyaa015.
Challenges of Vulnerability Management Using CVSS Scores#
| Challenge | Description |
|---|---|
| Actual attack conditions are not reflected | The CVSS score indicates only the danger level of the vulnerability itself and does not take into account the system's environment or attack conditions. |
| Insufficient action guidelines | There are no clear guidelines for deciding how to respond based on the score. |
| The scope of response is too broad | Vulnerabilities with a CVSS score of 7 or higher account for half of the total, which cannot be narrowed down to a realistic number of responses. |
If you would like to know more about the challenges of the CVSS-based approach, please refer to the following.
Because of these challenges, evaluation metrics for vulnerabilities such as SSVC have been attracting attention in recent years.