Relying on CVSS scores for vulnerability management may be misguided
The latest vulnerability intelligence report from Flashpoint finds that 52 percent of all vulnerabilities reported in the first half of 2022 that were scored 10.0 -- the most severe level -- on CVSS are likely scored incorrectly.
When scoring, CVSSv2 guidelines take a 'score for the worst' approach if details of some of the metrics used are unclear. But the report points out this has resulted in many vulnerabilities being scored a 10.0, even though they are actually less severe, simply due to vendors providing fewer details.
The report highlights a threat intelligence gap, with Flashpoint collecting 11,860 vulnerabilities in the first six months of the year, while CVE/NVD failed to report and detail 27.3 percent of them.
Flashpoint has also observed a discrepancy of 85 percent concerning 'discovered-in-the-wild' vulnerabilities reported in the first half of 2022, compared to resources such as Google's Project Zero showing that exploitation more often occurs outside of Advanced Persistent Threat (APT) attacks.
The report recommends that actionable severity should guide vulnerability prioritization, as it allows organizations to maximize resources while providing the best results. Security teams can reduce their immediate workload by 82 percent, by focusing on actionable severity vulnerabilities. Once those issues are addressed, security teams can then examine the remainder, using a risk-based approach that prioritizes at-risk assets based on business need, rather than on uncontextualized base CVSS scores.
The report’s author's conclude, "Security teams are struggling with incredible workloads, and their backlog of tasks constantly grows as Patch Tuesdays, Oracle CPUs, and the almost daily ongoing activity from CISA that continues to be released. And while organizations understand the importance of triaging all of these issues, as well as being proactive overall, they can only do so with well curated publicly available data."
You can read more and get the full report on the Flashpoint blog.