Today, NIST is seeking public comments on NIST IR 8409 ipd (initial public
draft), Measuring the
Common Vulnerability Scoring System Base Score Equation.
Calculating the severity of information technology vulnerabilities
is important for prioritizing vulnerability remediation and helping to
understand the risk of a vulnerability. The Common Vulnerability Scoring System
(CVSS) is a widely used approach to evaluating properties that lead to a
successful attack and the effects of a successful exploitation. CVSS is managed
under the auspices of the Forum of Incident Response and Security Teams (FIRST)
and is maintained by the CVSS Special Interest Group (SIG). Unfortunately,
ground truth upon which to base the CVSS measurements has not been available.
Thus, CVSS SIG incident response experts maintain the equations by leveraging
CVSS SIG human expert opinion.
This work evaluates the accuracy of the CVSS “base score”
equations and shows that they represent the CVSS maintainers’ expert opinion to
the extent described by these measurements. NIST requests feedback on the
approach, the significance of the results, and any CVSS measurements that
should have been conducted but were not included within the initial scope of
this work. Finally, NIST requests comments on sources of data that could
provide ground truth for these types of measurements.
The public comment review period for this draft is open through
July 29, 2022. See the publication
details for instructions on how to submit comments.
NOTE: A call for patent claims is included on page iv of this
draft. For additional information, see Information
Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL
Publications.