CVSS v3.1 was no stranger to critiques, the following were the common challenges encountered when leveraging CVSS.
CVSS Base Score being used as primary input to risk analysis
The CVSS Base Score is indeed a key factor in determining the severity of a vulnerability. However, it shouldn’t be the sole determinant as it only considers technical aspects of the vulnerability, not taking into account business context, asset criticality, or threat landscape, which are equally important in a holistic risk analysis.
Not enough real time threat and supplemental impact details represented
This is a fair critique. The CVSS model does not account for real-time changes in the threat landscape, such as whether a particular vulnerability is being actively exploited in the wild. This information, which can greatly influence the risk profile of a vulnerability, is usually available from other sources.
Only applicable to I.T. systems
CVSS was indeed primarily designed for software and hardware IT systems. As such, it may not capture some specific nuances of non-IT systems or operational technologies, which can have different risk profiles and consequences if compromised.
Health, human safety, and industrial control systems not well represented
CVSS does not explicitly factor in the potential impact on human life or safety. In sectors where these factors are critical, like healthcare or industrial control systems, CVSS scores might not fully capture the severity of a vulnerability.
Scores published by vendors are often High or Critical (7.0+)
This can indeed be a problem if vendors overstate the severity of vulnerabilities, leading to alarm fatigue. However, this issue lies more with the vendor’s implementation of CVSS, rather than with the system itself.
Insufficient granularity – fewer than 99 discrete CVSS scores in practice
While CVSS offers a decimal-based scoring system, the practical usage often results in fewer discrete scores, limiting its granularity. A more granular system might offer better differentiation between vulnerabilities.
Temporal Metrics do not effectively impact the final CVSS score
Temporal metrics in CVSS, which include factors such as the current state of exploit and remediation level, indeed often have less weight in the final score. While their inclusion is important, their impact may not be as significant as desired.
The math seems overly complicated and counterintuitive
The CVSS scoring involves complex mathematical equations to ensure a balanced representation of various factors. For non-technical users, this complexity can be overwhelming and appear counterintuitive. Simplification, while maintaining accuracy, could potentially improve usability and understanding of the system.
Where did you come up with that formula?
This critique emphasizes the complexity and seemingly arbitrary nature of the CVSS scoring algorithm. The CVSS scoring system was developed by a diverse team of experts and is based on extensive research and analysis. While it may seem confusing, it is the product of a deliberate process to balance a variety of different factors in vulnerability scoring. Nevertheless, continuous improvement and simplification should always be sought.