A Look at the Time Delays in CVSS Vulnerability Scoring

TL;DR

This empirical study investigates the time delays between CVE publication and CVSS scoring, revealing that CVSS content does not influence delays, which are decreasing annually, and discusses statistical methodology issues.

Contribution

It provides new empirical insights into CVE and CVSS timing delays and highlights methodological considerations in vulnerability research.

Findings

CVSS content does not affect delay times.

Delay times are decreasing annually.

Highlights statistical methodology misuses in vulnerability studies.

Abstract

This empirical paper examines the time delays that occur between the publication of Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) information attached to published CVEs. According to the empirical results based on regularized regression analysis of over eighty thousand archived vulnerabilities, (i) the CVSS content does not statistically influence the time delays, which, however, (ii) are strongly affected by a decreasing annual trend. In addition to these results, the paper contributes to the empirical research tradition of software vulnerabilities by a couple of insights on misuses of statistical methodology.