How Context Impacts Vulnerability Severity: An Analysis of Product-Specific CVSS Scores

Resumo

Software vulnerabilities are intrinsically related to product-specific characteristics. The properties of a vulnerability, along with its severity, must be assessed in the context of the product wherein the vulnerability is located. In this paper, our goal is to determine how context impacts severity. To this aim, we pose the following questions: 1) How do different sources statistically differ in the way they parametrize severity? 2) Are there latent patterns that can be learned to determine how context impacts severity? To answer those questions, we leverage public data from the National Vulnerability Database (NVD). By comparing CVSS ratings reported by different sources, we provide insights on how scores are parametrized considering contextual factors. While addressing the first question, we show, for instance, that Industrial Control System (ICS) products tend to have higher attack complexity and more restrictive attack vectors when compared against their general counterparts. While addressing the second question, we show that a Large Language Model, CVSS-BERT, can learn product-specific CVSS scores from the textual description of vulnerabilities, achieving F1 scores above 90%, indicating potential for knowledge transfer across different sources within NVD. These findings highlight the importance of context in assessing severity and suggest the feasibility of semi-automated vulnerability assessments for diverse product settings.