A Product-Oriented Assessment of Vulnerability Severity Through NVD CVSS Scores

A Product-Oriented Assessment of Vulnerability Severity Through NVD CVSS Scores

연구 분야: Infrastructure

학회: 2025 International Conference on Computing, Networking and Communications (ICNC)

Effective vulnerability assessment is critical in cybersecurity, especially for prioritizing risk mitigation in complex systems. The Common Vulnerability Scoring System (CVSS) provides a standardized method to evaluate the severity of vulnerabilities, but public repositories like the NVD often lack direct mappings between CVSS scores and specific affected products. This gap complicates practical decision-making for stakeholders responsible for remediation efforts. This paper presents a detailed analysis of how product-specific CVSS scores are assigned, focusing on the interplay between CVE Numbering Authorities (CNAs) and Common Platform Enumeration (CPE) vendors. We identify key challenges in aligning CVSS scores with specific products, especially for applications linked to multiple vendors, which often require additional context for accurate risk prioritization. These insights support the creation of automated tools to link CVSS scores to specific products and improve the transparency and consistency of vulnerability assessments. By addressing these gaps, this work provides practitioners with a framework to enhance vulnerability prioritization, particularly for products with diverse configurations and use cases.