Contextual CVSS Scoring Accounting for Vulnerability Batches

Lucas Guimarães Miranda; Lucas Senos Coutinho; Daniel Sadoc Menasché; Gaurav Kumar Srivastava; Anton Kocheturov; Enrico Lovat; Abhishek Ramchandran; Tobias Limmer

doi:10.5753/jisa.2025.5933

Authors

Lucas Guimarães Miranda Universidade Federal do Rio de Janeiro https://orcid.org/0009-0008-1589-0209
Lucas Senos Coutinho Universidade Federal do Rio de Janeiro https://orcid.org/0009-0002-6795-2631
Daniel Sadoc Menasché Universidade Federal do Rio de Janeiro https://orcid.org/0000-0002-8953-4003
Gaurav Kumar Srivastava Siemens Corporation https://orcid.org/0009-0005-2755-629X
Anton Kocheturov Siemens Corporation https://orcid.org/0000-0003-2549-9146
Enrico Lovat https://orcid.org/0000-0003-2549-9146 https://orcid.org/0009-0007-8814-236X
Abhishek Ramchandran Siemens Corporation https://orcid.org/0009-0002-9228-1702
Tobias Limmer Siemens Corporation https://orcid.org/0000-0001-8904-0620

DOI:

https://doi.org/10.5753/jisa.2025.5933

Keywords:

Vulnerability severity, CVE, CVSS, BERT, Data mining

Abstract

Software vulnerabilities are intrinsically related to product characteristics. The properties of a vulnerability, along with its severity, must be assessed in the context of the product wherein the vulnerability is located. In this paper, our goal is to determine how context impacts severity. To this aim, we pose the following questions: 1) How do different sources statistically differ in the way they parametrize severity? 2) Are there latent patterns that can be learned to determine how context impacts severity? 3) How do vulnerability batches shape scoring practices across sources? To answer these questions, we leverage public data from the National Vulnerability Database (NVD). By comparing CVSS ratings reported by different sources, we provide insights into how scores are parametrized considering contextual factors. For the first question, we show that Industrial Control System (ICS) products tend to have higher attack complexity and more restrictive attack vectors than their general counterparts. For the second, we show that a Large Language Model, CVSS-BERT, can learn context-specific CVSS scores from vulnerability descriptions, achieving F1 scores above 90% and enabling knowledge transfer across sources. For the third, we show that while NVD often assigns uniform scores within a batch, CNAs introduce context-specific variations. These findings highlight the importance of context in assessing severity and suggest the feasibility of semi-automated, batch-aware vulnerability assessments.

Downloads

Download data is not yet available.

References

Allodi, L., Cremonini, M., Massacci, F., et al. (2020). Measuring the accuracy of software vulnerability assessments: experiments with students and professionals. Empirical Softw. Engin., 25:1063-1094. DOI: 10.1007/s10664-019-09797-4.

Allodi, L. and Massacci, F. (2014). Comparing vulnerability severity and exploits using case-control studies. ACM TISSEC, 17(1):1-20. DOI: 10.1145/2630069.

Anwar, A. et al. (2021). Cleaning the NVD: Comprehensive quality assessment, improvements, and analyses. IEEE Transactions on Dependable and Secure Computing, 19(6):4255-4269. DOI: 10.1109/dsn-s52858.2021.00011.

Björnsen, K. and Aven, T. (2019). Risk aggregation: What does it really mean? Reliability Engineering & System Safety, 191:106524. DOI: 10.1016/j.ress.2019.106524.

Costa, J. C., Roxo, T., Sequeiros, J. B., Proenca, H., and Inacio, P. R. (2022). Predicting CVSS metric via description interpretation. IEEE Access, 10:59125-59134. DOI: 10.1109/access.2022.3179692.

Coutinho, L. S., Menasche, D., Miranda, L., Lovat, E., Kumar, S. G., Ramchandran, A., Kocheturov, A., and Limmer, T. (2024). How context impacts vulnerability severity: An analysis of product-specific cvss scores. In Proceedings of the 13th Latin-American Symposium on Dependable and Secure Computing, pages 17-27. DOI: 10.1145/3697090.3697109.

Croft, R., Babar, M. A., and Kholoosi, M. M. (2023). Data quality for software vulnerability datasets. In ICSE, pages 121-133. IEEE. DOI: 10.1109/icse48619.2023.00022.

Croft, R., Babar, M. A., and Li, L. (2022). An investigation into inconsistency of software vulnerability severity across data sources. In 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), pages 338-348. IEEE. DOI: 10.1109/saner53432.2022.00050.

Dong, Y., Guo, W., Chen, Y., et al. (2019). Towards the detection of inconsistencies in public security vulnerability reports. In USENIX Security, pages 869-885. Available at:[link].

Elbaz, C. et al. (2020). Fighting n-day vulnerabilities with automated cvss vector prediction at disclosure. In Int. Conf. Availability, Reliability and Security. DOI: 10.1145/3407023.3407038.

FIRST (2024). Available at:[link].

HackRead (2024). NIST NVD Halt Leaves Vulnerabilities Untagged. Available at: [link].

Han, Z., Li, X., Xing, Z., et al. (2017). Learning to predict severity of software vulnerability using only vulnerability description. In ICSME, page 125. DOI: 10.1109/icsme.2017.52.

Human Factors in Security and Privacy Group (2024). Consistency of CVSS. Available at:[link].

Khazaei, A. et al. (2016). An automatic method for CVSS score prediction using vulnerabilities description. Journal of Intelligent & Fuzzy Systems, 30(1). DOI: 10.3233/ifs-151733.

Kühn, P., Relke, D. N., and Reuter, C. (2023). Common vulnerability scoring system prediction based on open source intelligence information sources. Computers & Security, 131:103286. DOI: 10.1016/j.cose.2023.103286.

Le, T. H. M. and Babar, M. A. (2022). On the use of fine-grained vulnerable code statements for software vulnerability assessment models. In Intl. Conference on Mining Software Repositories, pages 621-633. DOI: 10.1145/3524842.3528433.

Maidl, M., Kröselberg, D., Zhao, T., and Limmer, T. (2021). System-specific risk rating of software vulnerabilities in industrial automation & control systems. In 2021 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), pages 327-332. IEEE. DOI: 10.1109/ISSREW53611.2021.00097.

Maidl, M., Wirtz, R., Zhao, T., Heisel, M., and Wagner, M. (2019). Pattern-based modeling of cyber-physical systems for analyzing security. In Proceedings of the 24th European Conference on Pattern Languages of Programs, pages 1-10. DOI: 10.1145/3361149.3361172.

Massacci, F. (2024). The holy grail of vulnerability predictions. IEEE S&P, 22(1):4. DOI: 10.1109/msec.2023.3333936.

Mead, N. R. and Stehney, T. (2005). Security quality requirements engineering (square) methodology. ACM SIGSOFT Software Engineering Notes, 30(4):1-7. DOI: 10.21236/ada443493.

Shahid, M. R. and Debar, H. (2021). CVSS-BERT: Explainable natural language processing to determine the severity of a computer security vulnerability from its description. In ICMLA, pages 1600-1607. IEEE. DOI: 10.48550/arXiv.2111.08510.

Wunder, J., Kurtz, A., Eichenmüller, C., Gassmann, F., and Benenson, Z. (2023). Shedding Light on CVSS Scoring Inconsistencies: A User-Centric Study on Evaluating Widespread Security Vulnerabilities. In IEEE Security and Privacy, page 58. DOI: 10.1109/sp54263.2024.00058.

Zhang, S., Cai, M., Zhang, M., Zhao, L., et al. (2023a). The Flaw Within: Identifying CVSS Score Discrepancies in the NVD. In CloudCom, pages 185-192. IEEE. DOI: 10.1109/cloudcom59040.2023.00039.

Zhang, S., Zhang, M., and Zhao, L. (2023b). Viet: A tool for extracting essential information from vulnerability descriptions for cvss evaluation. In IFIP Annual Conference on Data and Applications Security and Privacy, pages 386-403. Springer. DOI: 10.1007/978-3-031-37586-6_23.

Contextual CVSS Scoring Accounting for Vulnerability Batches

Authors

DOI:

Keywords:

Abstract

Downloads

References

Downloads

Published

How to Cite

Issue

Section

License

Metrics:

Make a Submission