Vulnerability Identification Systems Under Scrutiny
Major cybersecurity vulnerability identification and scoring systems require significant overhaul, according to recent analysis from security industry leaders. Sources indicate that both the Common Vulnerabilities and Exposures (CVE) system and the Common Vulnerability Scoring System (CVSS) suffer from fundamental flaws that undermine their reliability.
Questionable CVE Validation Processes
Aram Hovespyan, co-founder and CEO of security firm Codific, argues that approximately one-third of CVE entries may be meaningless. His analysis cites academic research presented at the USENIX Security Symposium which found that 34 percent of 1,803 CVEs cited in research papers over five years were either unconfirmed or disputed by software maintainers.
The report states that the CVE assignment system involves multiple stakeholders with conflicting incentives. According to Hovespyan’s analysis published on Codific’s website, vulnerability researchers often aim to publish numerous CVEs to build reputation, while product CNAs have little motivation to document flaws in their own software. Meanwhile, CNA Last Resorts like Red Hat may lack technical context for thorough validation.
Inconsistent Scoring and Mathematical Concerns
Analysts suggest the CVSS scoring system demonstrates significant inconsistency in practice. Studies reportedly found that more than 40 percent of CVEs receive different scores when re-evaluated by the same person just nine months later. Hovespyan also contends that performing calculations on CVSS scores is mathematically unsound, as ordinal numbers are being treated as quantitative values.
Examples of problematic scoring include a deprecated system vulnerability that initially received a 9.1 CVSS score before being downgraded, as documented in a blog post about obtaining CVEs quickly. Another case involved a curl vulnerability that was initially scored 9.8 out of 10 before being reduced to 3.3.
Industry Support for Reform
Daniel Stenberg, creator and maintainer of curl, reportedly agrees with the criticism, telling The Register that CVSS scores present particular problems for products used in diverse environments where a single score cannot accurately reflect every usage scenario. Stenberg elaborated on this position in his blog post titled “CVSS is dead to us” earlier this year.
“CVSS is meant to give a base score and then everyone should apply their own environment and risk judgement on top, but in reality that is not how the numbers are used,” Stenberg explained. The curl project reportedly does not provide CVSS scores at all, echoing the approach of Linux kernel CNA head Greg Kroah-Hartman.
Systemic Challenges in CVE Governance
The CVE system originated with MITRE Corporation and has expanded to include numerous CVE Numbering Authorities following specific rules and guidelines. However, analysts suggest the distributed nature of this system creates coordination challenges and inconsistent application of standards.
Despite the identified problems, Hovespyan acknowledges that CVEs and CVSS scores still provide value as inputs, though they should not form the foundation of entire application security strategies. He emphasizes the need for shared understanding of risk grounded in threat modeling and contextual triage, with vulnerability dashboards interpreted through what he describes as a “scientific lens.”
The call for reform comes amid broader industry recognition that current security assessment approaches may require substantial revision to effectively address evolving cybersecurity challenges.
This article aggregates information from publicly available sources. All trademarks and copyrights belong to their respective owners.
