My Software has a Vulnerability, Should I Worry ?

Luca Allodi
Fabio Massacci, DISI - University of Trento, Trento, Italy.
Vulnerability studies usually rely on the NVD or ‘proof-of-concept’ exploits databases (Exploit-db, or OSVDB), while the individual vulnerability risk is measured by its CVSS score. A key issue is whether reported and evaluated vulnerabilities have been actually exploited in the wild, and whether the risk score do match the risk of actual exploitation. We compare the NVD dataset with two additional datasets, the EDBfor the white market of vulnerabilities, and the EKITS for the exploits traded in the black market. We benchmark them against Symantec’s threat explorer dataset (SYM) of actual exploit in the wild. We analyze the whole spectrum of CVSS submetrics and use these characteristics to perform a casecontrolled analysis of CVSS scores to test its reliability as a risk factor for actual exploitation. We conclude that EDB and NVD are the wrong databases to look at for studies that targets real exploits, (b) the CVSS score present high sensitivity (ruling in vulns for which we should worry) only for vulnerability traded in the black market, (c) we miss a metric with high specificity (ruling out vulns for which we shouldn’t worry).