loading
Documents

Research.Publish.Connect.

Paper

Authors: Doudou Fall and Youki Kadobayashi

Affiliation: Laboratory for Cyber Resilience, Nara Institute of Science and Technology, 8916-5 Takayama-cho, Ikoma, Nara, Japan

ISBN: 978-989-758-359-9

Keyword(s): CVSS Scores, Well-known Vulnerabilities.

Abstract: Meltdown & Spectre came as natural disasters to the IT world with several doomsday scenarios being professed. Yet, when we turn to the de facto standard body for assessing the severity of a security vulnerability, the Common Vulnerability Scoring System (CVSS), we surprisingly notice that Meltdown & Spectre do not command the highest scores. We witness a similar situation for other rock star vulnerabilities (vulnerabilities that have received a lot of media attention) such as Heartbleed and KRACKs. In this manuscript, we investigate why the CVSS ‘fails’ at capturing the intrinsic characteristics of rock star vulnerabilities. We dissect the different elements of the CVSS (v2 and v3) to prove that there is nothing within it that can indicate why a particular vulnerability is a rock star. Further, we uncover a pattern that shows that, despite all the beautifully elaborated formulas, magic numbers and catch phrases of the CVSS, there is still a heavy presence human emotion into the scorin g as rock star vulnerabilities that were exploited in the wild before being discovered tend to have a higher score than those that were discovered and responsibly disclosed by security researchers. We believe that this is the principal reason of the discrepancy between the scoring and the level of media attention as the majority of 'modern' high level vulnerabilities are introduced by security researchers. (More)

PDF ImageFull Text

Download
CC BY-NC-ND 4.0

Sign In Guest: Register as new SciTePress user now for free.

Sign In SciTePress user: please login.

PDF ImageMy Papers

You are not signed in, therefore limits apply to your IP address 3.83.192.109

In the current month:
Recent papers: 100 available of 100 total
2+ years older papers: 200 available of 200 total

Paper citation in several formats:
Fall, D. and Kadobayashi, Y. (2019). The Common Vulnerability Scoring System vs. Rock Star Vulnerabilities: Why the Discrepancy?.In Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-359-9, pages 405-411. DOI: 10.5220/0007387704050411

@conference{icissp19,
author={Doudou Fall. and Youki Kadobayashi.},
title={The Common Vulnerability Scoring System vs. Rock Star Vulnerabilities: Why the Discrepancy?},
booktitle={Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2019},
pages={405-411},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0007387704050411},
isbn={978-989-758-359-9},
}

TY - CONF

JO - Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - The Common Vulnerability Scoring System vs. Rock Star Vulnerabilities: Why the Discrepancy?
SN - 978-989-758-359-9
AU - Fall, D.
AU - Kadobayashi, Y.
PY - 2019
SP - 405
EP - 411
DO - 10.5220/0007387704050411

Login or register to post comments.

Comments on this Paper: Be the first to review this paper.