On the impact of environmental metrics on CVSS scores
Résumé
CVSS is a framework which provides a method for rating the severity level of IT vulnerabilities. It takes into account not only the intrinsic characteristics of the vulnerability, but also its evolution over time and the user environment in which it is detected. A severity, or CVSS, score, is evaluated using several metrics : base / temporal / environmental. Base metrics assessments are achieved through organizations which maintain IT dictionaries ( CVE for example). These ratings can be found in public IT vulnerability databases such as NVD, OSVDB, ... This paper studies the impact of applying environmental metrics to CVSS scores stored in NVD database, focuses on the variation of CVSS score distribution and identifies specific problems in modified CVSS score formulae.