CVSS Scoring System Need an Revamp

Researchers produced a detailed research report stating the weaknesses in the existing CVSS scoring system that is deemed to be responsible for overhyping some vulnerabilities. Personally, TheCyberThrone keep reiterating the same on numerous occasions that this approach may not yield the desired results.

Common Vulnerability Scoring System (CVSS), an open industry standard framework for assessing the severity of security problems and managed by the non-profit Forum of Incident Response and Security Teams (FIRST) with the National Vulnerability Database (NVD) providing CVSS scores for confirmed vulnerabilities.

Due to this scoring systems, so-called bug ratings are overinflated ratings and cybersecurity community keep spending time in it and not be focused on the bugs most likely to impact their organizations in favour of issues deemed critical across the board.

According to the analysis, there exist a discrepancy between public severity ratings and the internal JFrog assessments of the top 50 CVEs of 2022. In most of the cases the CVE severity assessment is lower than the rating assigned in the NVD – meaning oftentimes these vulnerabilities are being overhyped based on the real-world impact until a working exploit has been released

As many as NVD security ratings were undeserved as they were not as simple to exploit as reported and it required complex configuration environments or conditions for a successful attack. Also, that there may be a lack of context when assigning CVE attack complexity metrics and it depends on several factors like how he placement of resources and how API is fetching the untrusted date and like on.

For an instance – using default credentials are not marked as critical in scoring system and it is served as low but the impact, they would create a massive negative outcome. Since its low the remediation work is either delayed or (worse) entirely disregarded.

If a bug is considered too small to bother with, developers may not create a patch, which JFrog says can only increase the number of affected systems over time. In contrast, if a CVSS rating is high but the real-world impact is considered minuscule, the threat level could be faulted as misleading.

A risk severity should be based on the information collected against Temporal threat information, asset criticality, compensating controls – such as security system filters, preventive controls, log analysis systems availability – and other environmental scores are designed to lower the score to a more apt, applicable level.

CVSS v4.0 is coming soon but it will take its own time for settle and adoption by cybersecurity community It will include a method for product developers to provide supplementary urgency ratings, leading to a more accurate representation of the urgency of the vulnerability in their implementation, rather than relying on the OSS library provider’s worst-case scoring.

This analysis is conducted and documented by researchers from JFrog , which focused on accessing the impact of security bugs in open-source software, concluded that public CVSS impact metrics may be oversimplifying the risk posed by vulnerabilities because it lacks context, among other factors.