Prioritizing Vulnerability Response: A Stakeholder Specific Vulnerability Categorization
CARNEGIE-MELLON UNIV PITTSBURGH PA PITTSBURGH United States
Pagination or Media Count:
This report is the second part of a research agenda about prioritizing actions during vulnerability management. Many organizations use the Common Vulnerability Scoring System CVSS for this purpose today. For problems with CVSS as it is, see the first part of our research agenda Towards Improving CVSS. This report presents a testable Stakeholder-Specific Vulnerability Categorization SSVC that avoids some problems with CVSS. Our informed hypothesis takes the form of decision trees for different vulnerability management communities. We welcome others to test and improve it. This report proposes a functional system to make our proposal concrete, as well as preliminary tests of its usefulness. However, our proposal is a detailed hypothesis to test, or a conversation starter, not a final proposal. In so far as is practical, we aim to avoid one-size-fits-all solutions. The stakeholders in vulnerability management are diverse, and that diversity needs to be accommodated in the main functionality, rather than squeezed into hard-to-use optional features.
- Computer Systems Management and Standards
- Administration and Management