Rants of a deranged squirrel.

A critique of the summary of “Latent Feature Vulnerability Rankings of CVSS Vectors”

Update: Corren McCoy has written a wonderful response to this blog where she goes into more detail about her conclusions as well as citing more portions of the original research that led to her conclusions. As she notes, there are several layers of condensing the original research at play here, which can dilute and distort the original research. In her follow-up she breaks down each of these areas that I address below. If you continue reading my blog below, please read her reply after to get a better picture. Thank you!

What do you think of this?” It always starts out simple. A friend asked this question of an article titled Summary of “Latent Feature Vulnerability Rankings of CVSS Vectors”. This study is math heavy and that is not my jam. But vulnerability databases are, and that includes the CVE ecosystem which encompasses NVD. I am also pretty familiar with limitations of the CVSS scoring system and colleagues at RBS have written extensively on them.

I really don’t have the time or desire to dig into this too heavily, but my response to the friend was “immediately problematic“. I’ll cliff notes some of the things that stand out to me, starting with the first graphic included which she specifically asked me about.

Perhaps this summary is not well written and the paper actually has more merit? I doubt it, the summary seems like it is comprehensive and captures key points, but I don’t think the summary author works with this content either. Stats and math yes. Vulnerabilities no.

Exit mobile version