DeepAI AI Chat
Log In Sign Up

An Investigation into Inconsistency of Software Vulnerability Severity across Data Sources

by   Roland Croft, et al.
The University of Adelaide
Monash University

Software Vulnerability (SV) severity assessment is a vital task for informing SV remediation and triage. Ranking of SV severity scores is often used to advise prioritization of patching efforts. However, severity assessment is a difficult and subjective manual task that relies on expertise, knowledge, and standardized reporting schemes. Consequently, different data sources that perform independent analysis may provide conflicting severity rankings. Inconsistency across these data sources affects the reliability of severity assessment data, and can consequently impact SV prioritization and fixing. In this study, we investigate severity ranking inconsistencies over the SV reporting lifecycle. Our analysis helps characterize the nature of this problem, identify correlated factors, and determine the impacts of inconsistency on downstream tasks. Our findings observe that SV severity often lacks consideration or is underestimated during initial reporting, and such SVs consequently receive lower prioritization. We identify six potential attributes that are correlated to this misjudgment, and show that inconsistency in severity reporting schemes can severely degrade the performance of downstream severity prediction by up to 77 severity data inconsistencies and draw attention to this data quality problem. These insights can help developers better consider SV severity data sources, and improve the reliability of consequent SV prioritization. Furthermore, we encourage researchers to provide more attention to SV severity data selection.


page 1

page 3

page 6

page 7


Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses

Vulnerability databases are vital sources of information on emergent sof...

Identifying Relevant Information Cues for Vulnerability Assessment Using CVSS

The assessment of new vulnerabilities is an activity that accounts for i...

Data Quality for Software Vulnerability Datasets

The use of learning-based techniques to achieve automated software vulne...

Log severity level classification: an approach for systems in production

Context: Logs are often the primary source of information for system dev...

Invariance in Policy Optimisation and Partial Identifiability in Reward Learning

It's challenging to design reward functions for complex, real-world task...

Severity Level of Permissions in Role-Based Access Control

The analysis of hidden channels of information leakage with respect to r...