Measuring the CVSS Base Score Equation: NIST IR 8409

NIST has published NIST Internal Report (IR) 8409, Measuring the
Common Vulnerability Scoring System Base Score Equation

Calculating the severity of information technology vulnerabilities
is important for prioritizing vulnerability remediation and helping to
understand the risk of a vulnerability. The Common Vulnerability Scoring System
(CVSS) is a widely used approach for evaluating properties that lead to a
successful attack and the effects of a successful exploitation. This work
evaluates the validity of the CVSS version 3 base score equation in capturing
the expert opinion of its maintainers. Performing this analysis is necessary
because the equation design has been questioned since it has features that are
both unintuitive and unjustified by the CVSS specification. If one can show
that the equation reflects CVSS expert opinion, then that study justifies the
equation, and the security community can treat the equation as an opaque box
that functions as described.

This work shows that the CVSS base score equation closely —
though not perfectly — represents the CVSS maintainers’ expert opinion. These
findings validate that the CVSS base score equation represents the CVSS
maintainers’ domain knowledge to the extent described by these measurements.