Prioritizing Vulnerability Response

Abstract

We want an evidence-based vulnerability management system. CVSS (Common Vulnerability Scoring System) is: Limited to technical severity; Has some design inconsistencies (See Towards Improving CVSS). We propose a Stakeholder-Specific Vulnerability Categorization (SSVC) as an improvement: Focus is on decisions, not technical severity; Transparent, role-specific recommendations; Experiment design to test process consistency.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2020
Accession Number
AD1090432

Entities

People

  • Allen Householder
  • Art Manion
  • Eric Hatleback
  • Jonathan M. Spring

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Human Systems

DTIC Thesaurus Topics

  • Agreements
  • Communities
  • Consistency
  • Contracts
  • Contrast
  • Department Of Defense
  • Education
  • Engineering
  • Governments
  • Guarantees
  • Hypotheses
  • Internet
  • Materials
  • Patents
  • Pilot Studies
  • Reliability
  • Security
  • Software Development
  • Test And Evaluation
  • Universities
  • Vulnerability

Fields of Study

  • Computer science

Readers

  • Military Logistics and Supply Chain Management
  • Organizational Process Management (OPM).
  • Software Engineering.