Is Vulnerability Report Confidence Redundant? Pitfalls Using Temporal Risk Scores

The Common Vulnerability Scoring System score is the de facto standard to assess risk of software vulnerabilities, with three temporal components: exploitability, remediation level, and report confidence. We discuss how the latter may be inferred from the first two, pointing practical and conceptual issues in the usage of temporal risk scores.

Automated summary

The Common Vulnerability Scoring System score is the standard for evaluating the risk of software vulnerabilities and includes three temporal components: exploitability, remediation level, and report confidence. The discussion focuses on inferring report confidence from the first two components and highlights practical and conceptual issues in the usage of temporal risk scores.