Machine Learning Algorithms for Conversion of CVSS Base Score from 2.0 to 3.x


The Common Vulnerability Scoring System (CVSS) is the industry standard for describing the characteristics of software vulnerabilities and measuring their severity. However, not all publicly known vulnerabilities have criticality rating in CVSS 3.x, which is the latest and most advanced version of the standard. This is due to the large time gap between the publication of the CVSS 2.0 and CVSS 3.x standards, the large number of the detected and published vulnerabilities at the time, and significant differences in the method of determining vulnerability criticality and assigning vector properties to evaluation components. Consequently, organizations using CVSS to prioritize vulnerabilities use both CVSS versions and abandoned the full transition to CVSS 3.x standard. In this paper authors introduce machine learning algorithms for performing conversions from CVSS 2.0 to CVSS 3.x, scores, which should significantly facilitate the upgrade to CVSS 3.x standard for all stakeholders. The considered case corresponds to a real world application with a large potential impact of the research.

Computational Science – ICCS 2021