Web Science and Digital Libraries Research Group

A critique of the summary of "Latent Feature Vulnerability Rankings of CVSS Vectors" (cc @correnmccoy https://t.co/Hmjph1CfNv — Sciuridae Hero (@attritionorg) January 20, 2021 When an academic researcher must condense months or even years of work into a few pages for peer-reviewed publication, some degree of selectivity is required in terms of what to include. A paper summary, like the one I presented in my blog post Summary of "Latent Feature Vulnerability Ranking of CVSS Vectors" can even further condense the original content and perhaps lead to additional questions. Sciuridae Hero ( @attritionorg ), also known as Brian Martin (industry expert on security topics), took note of my paper summary and offered a thoughtful critique via Twitter and his own detailed blog entries. In this posting, I would like to take a deeper look at each of Mr. Martin's bulleted comments and observations to 1) make sure I adequately represented the authors' original intent,

Figure 1: CVSS Score Metrics. (Source: Balbix ) The Common Vulnerability Scoring System ( CVSS ) is an open framework for communicating the characteristics and severity of software vulnerabilities. These severity scores, ranging from 0 (low) to 10 (high),  have been directly used to prioritize vulnerability mitigation strategies . However, CVSS scores are not strongly linked to known  cybersecurity exploits  and analysts can be overwhelmed by the volume of vulnerabilities that have similar high scores. This simple ranking approach could be improved if more detailed information on vulnerabilities and exploits were available. In their paper " Latent feature vulnerability ranking of CVSS vectors ", Ross et al. seek to improve upon the CVSS score ranking by exploring the latent feature space described by a Jaccard similarity metric . Their goal is to provide a data-driven and alternative ranking approach using features in the CVSS base and temporal metric groups, Figure 1, enum