An Investigation into Inconsistency of Software Vulnerability Severity across Data Sources

12/20/2021
by   Roland Croft, et al.
0

Software Vulnerability (SV) severity assessment is a vital task for informing SV remediation and triage. Ranking of SV severity scores is often used to advise prioritization of patching efforts. However, severity assessment is a difficult and subjective manual task that relies on expertise, knowledge, and standardized reporting schemes. Consequently, different data sources that perform independent analysis may provide conflicting severity rankings. Inconsistency across these data sources affects the reliability of severity assessment data, and can consequently impact SV prioritization and fixing. In this study, we investigate severity ranking inconsistencies over the SV reporting lifecycle. Our analysis helps characterize the nature of this problem, identify correlated factors, and determine the impacts of inconsistency on downstream tasks. Our findings observe that SV severity often lacks consideration or is underestimated during initial reporting, and such SVs consequently receive lower prioritization. We identify six potential attributes that are correlated to this misjudgment, and show that inconsistency in severity reporting schemes can severely degrade the performance of downstream severity prediction by up to 77 severity data inconsistencies and draw attention to this data quality problem. These insights can help developers better consider SV severity data sources, and improve the reliability of consequent SV prioritization. Furthermore, we encourage researchers to provide more attention to SV severity data selection.

READ FULL TEXT

page 1

page 3

page 6

page 7

research
06/26/2020

Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses

Vulnerability databases are vital sources of information on emergent sof...
research
03/20/2018

Identifying Relevant Information Cues for Vulnerability Assessment Using CVSS

The assessment of new vulnerabilities is an activity that accounts for i...
research
01/13/2023

Data Quality for Software Vulnerability Datasets

The use of learning-based techniques to achieve automated software vulne...
research
12/22/2021

Log severity level classification: an approach for systems in production

Context: Logs are often the primary source of information for system dev...
research
01/10/2019

Gender Differences in Injury Severity Risk of Single-Vehicle Crashes in Virginia: A Nested Logit Analysis of Heterogeneity

This paper explores gender differences in injury severity risk using a c...
research
03/14/2022

Invariance in Policy Optimisation and Partial Identifiability in Reward Learning

It's challenging to design reward functions for complex, real-world task...
research
12/29/2018

Severity Level of Permissions in Role-Based Access Control

The analysis of hidden channels of information leakage with respect to r...

Please sign up or login with your details

Forgot password? Click here to reset