The Effect of Common Vulnerability Scoring System Metrics on Vulnerability Exploit Delay

Abstract

Modern system administrators need to monitor disclosed software vulnerabilities and address applicable vulnerabilities via patching, reconfiguration and other measures. In 2017, over 14,000 new vulnerabilities were disclosed, so, a key question for administrators is which vulnerabilities to prioritise. The Common Vulnerability Scoring System (CVSS) is often used to decide which vulnerabilities pose the greatest risk and hence inform patching policy. A CVSS score is indicative of a vulnerability severity, but it doesn't predict the time to exploit for a vulnerability. A prediction of exploit delay would greatly assist vendors in prioritising their patch releases and system administrators in prioritising the installation of these patches. In this paper, we study the effect of CVSS metrics on the time until a proof of concept exploit is developed. We use the National Vulnerability Database (NVD) and the Exploit Database, which represent two of the largest listings of vulnerabilities and exploit data, to show how CVSS metrics can provide better insight into exploit delay. We also investigate the time lag associated with populating CVSS metrics and find that the median delay has increased rapidly from a single day prior to 2017 to 19 days in 2018. This is an alarming trend, given the rapid decline in median vulnerability exploit time from 296 days in 2005 to six days in 2018.