Why could Secunia Research CVSS advisory scores differ from other public sources?

Why could Secunia Research CVSS advisory scores differ from other public sources?

Question

Why Secunia CVSS score for an advisory is different than the vendor or other sources?
This article answers this question and it includes concrete examples of expected use-cases too. 

Answer

Secunia Research takes multiple sources into account when deriving the Secunia Research CVSS (Common Vulnerability Scoring System) metrics for a Secunia Advisory.

For example, vendor ratings, otherwise available information (by e.g. vulnerability details), the product context, and security best practices can have a role in defining the final score. 

Ultimately all this information results in specific, Secunia Advisory assigned with Secunia Research CVSS metrics based on our own research and analysis. 

Differences with other CVSS metric providers can occur due to multiple reasons. We listed some of the most common ones next:

1) The information taken into account to calculate the CVSS metric may differ.

For example, a vendor may not take security best practices into account when assigning CVSS metrics, while Secunia Research always does. This frequently yields difference around "Exploitability" metrics.

Specifically, in many CVSS metric cases from other sources the "Attack Vector (AV)" is set to "Network", however, Secunia Research may set the respective metric to "Adjacent Network" if e.g. security best practices for the specific product or the affected component demand that said product respective component should be accessible and would be exploitable from a separate, corporate LAN (Local Area Network) solely. To highlight this, Secunia Research assigns "Adjacent Network".

2) Organizations may interpret information used for the CVSS metric calculation differently.

CVSS metric guidelines [1] essentially (have to) leave room for interpretation. In turn, Secunia Research encounters many CVSS metric providers that provide very different CVSS metrics and scores, even if the type of vulnerability, exploitation vectors, and impacts are similar or exactly the same.

In the end, this results in CVSS metrics that are hardly comparable to each other. In certain cases, such variations can even result in CVSS scores that are more than 5.0 base points apart.

By performing our own analysis and providing specific Secunia Research CVSS metrics, all of our CVSS metrics ultimately become comparable, regardless of product and vendor interpretation, and grant a uniform view and interpretation of the CVSS metric for our customers.

References:
[1] https://www.first.org/cvss/v3.1/examples

Was this article helpful? Yes No
No ratings
Version history
Revision #:
4 of 4
Last update:
‎Oct 13, 2019 09:25 AM
Updated by:
 
Contributors