Comparison of vulnerability ratings produced using the CVSS scores and the criticality ratings assigned by Secunia Research
Why is the Common Vulnerability Scoring System (CVSS) score implied rating through the CVSS score system that high (or low) when compared to the criticality rating assigned by Secunia Research?
The Common Vulnerability Scoring System (CVSS) system itself is unfortunately not that suitable to derive the actual criticality nor the prioritization of a vulnerability. While the CVSS system is a standardized system that allows assessing certain, important vulnerability related information through the metrics (for example confidentiality impact), the calculated score based on the metrics is not necessarily that beneficial when it comes to determining the actual criticality and, as a follow-up, the prioritization of a vulnerability.
Frequently, the scoring for even minor vulnerabilities, such as those that require locally authenticated access of an attacker to a system, will produce CVSS scores beyond 6 and 7, which does not accurately reflect the actual exploitation potential and in turn does not truly allow a proper prioritization for any customer. This also is reflected by the CVSS score derived rating "Low" being very underutilized, which indicates that CVSS itself appears to have a scaling issue. This is already true for the version 2 of CVSS, but even more so for the version 3 of CVSS, where the scoring on average appears to have increased further. If more than 90% of vulnerability scores end up in the higher spectrum, then the scaling is out of balance.
Secunia Research, the vulnerability intelligence behind Flexera's Security Vulnerability Management (SVM) business and in the vulnerability intelligence business, has developed a criticality scoring methodology that allows companies to judge the priority of valid vulnerabilities accurately. The rating is based on an analysis performed by Secunia Research and takes the vulnerability, product context, and security best practices into account. This additional layer of scoring helps customers and security teams identify prioritization of vulnerabilities precisely.