Gotta Catch 'em All: Aggregating CVSS Scores. (arXiv:2310.02062v1 [cs.CR])

Security metrics are not standardized, but inter-national proposals such as
the Common Vulnerability ScoringSystem (CVSS) for quantifying the severity of
known vulnerabil-ities are widely used. Many CVSS aggregation mechanisms
havebeen proposed in the literature. Nevertheless, factors related tothe
context of the System Under Test (SUT) are not taken intoaccount in the
aggregation process; vulnerabilities that in theoryaffect the SUT, but are not
exploitable in reality. We propose aCVSS aggregation algorithm that integrates
information aboutthe functionality disruption of the SUT, exploitation …

aggregation context cvss cvss scores literature metrics national proposals security security metrics severity system taken test under vulnerability