ABSTRACT

The Common Vulnerability Scoring System (CVSS) has been a standard for vulnerability severity assessment. The U.S. National Vulnerability Database (NVD) mandates CVSS base scoring of all vulnerabilities that it curates. The CVSS metrics, however, go unused when software vendors are looking to reward ethical hackers with monetary benets (bounties") for responsibly disclosing vulnerabilities. In this poster, we present the ndings from an empirical evaluation of the relationship (or lack thereof) between the two conceptually related metrics: CVSS score and vulnerability bounty.

We collected the CVSS scores and bounties for 851 vulnerabilities across 28 products. A simple Spearman's rank correlation analysis revealed a weak correlation ( = 0.2799) between CVSS scores and vulnerability bounties. Hypothesizing that the weak correlation may be due to differences in concerns, we qualitatively compared the severity assessment criteria in CVSS to those in bounty determination guidelines.

We found that 22 of the 34 bounty determination criteria are not explicitly mentioned in the CVSS specification. The results indicate that CVSS metrics lack the specicity of bounty determination guidelines, leading to a tenuous relationship between CVSS score and bounty.