SecScore: Enhancing the CVSS Threat Metric Group with Empirical Evidences

TL;DR

SecScore is a new vulnerability scoring system that improves upon CVSS by incorporating empirical data on exploit code development, enabling more accurate and timely vulnerability prioritization.

Contribution

It introduces an empirical, explainable method to enhance CVSS scores with real-world exploit evidence, improving vulnerability assessment accuracy.

Findings

SecScore improves vulnerability prioritization effectiveness.

It integrates seamlessly into existing vulnerability management workflows.

Experimental results validate its timeliness and accuracy.

Abstract

Background: Timely prioritising and remediating vulnerabilities are paramount in the dynamic cybersecurity field, and one of the most widely used vulnerability scoring systems (CVSS) does not address the increasing likelihood of emerging an exploit code. Aims: We present SecScore, an innovative vulnerability severity score that enhances CVSS Threat metric group with statistical models from empirical evidences of real-world exploit codes. Method: SecScore adjusts the traditional CVSS score using an explainable and empirical method that more accurately and promptly captures the dynamics of exploit code development. Results: Our approach can integrate seamlessly into the assessment/prioritisation stage of several vulnerability management processes, improving the effectiveness of prioritisation and ensuring timely remediation. We provide real-world statistical analysis and models for a wide range of vulnerability types and platforms, demonstrating that SecScore is flexible according to the vulnerability's profile. Comprehensive experiments validate the value and timeliness of SecScore in vulnerability prioritisation. Conclusions: SecScore advances the vulnerability metrics theory and enhances organisational cybersecurity with practical insights.