Full Report
CVE and CVSS systems suffer from misaligned incentives and inconsistency Aram Hovespyan, co-founder and CEO of security biz Codific, says that the rating systems for identifying security vulnerabilities and assessing threat risk need to be overhauled.…
Analysis Summary
This analysis is based on a critique of the existing CVE and CVSS systems, rather than a report on a specific, single vulnerability. Therefore, the sections below must reflect the systemic issues discussed by Aram Hovespyan and others regarding these rating mechanisms.
# Vulnerability: Systemic Issues in CVE and CVSS Rating Mechanisms
## CVE Details
- CVE ID: N/A (Analyzing the system, not a specific ID)
- CVSS Score: Inconsistent/Unreliable
- CWE: N/A
## Affected Systems
- Products: All software/hardware assigned CVEs by the current CNA system.
- Versions: All versions included in reports associated with flawed CVE/CVSS assignments.
- Configurations: N/A
## Vulnerability Description
The CVE and CVSS systems suffer from misaligned incentives and inconsistency.
1. **CVE Validity:** Approximately 34% of CVEs cited in academic research over the past five years are either not publicly confirmed or have been disputed by maintainers, suggesting a lack of reliable verification.
2. **CNAs Incentives:** Vulnerability researchers are incentivized to publish many CVEs for reputation, while product CNAs lack motivation to create CVEs exposing flaws in their own software. CNA Last Resorts (CNAs-LR) may publish quickly without sufficient technical validation.
3. **CVSS Inconsistency:** CVSS scores are inconsistent, with studies showing over 40% receiving different scores when re-evaluated by the same person months later. Furthermore, ordinal scores are often treated as quantitative values for algorithmic use, which is mathematically unsound. Examples show extreme score fluctuations (e.g., 9.1 downgraded on a deprecated system, 9.8 downgraded to 3.3 for `curl`).
## Exploitation
- Status: Not applicable to the system structure itself, but flawed CVEs may misrepresent real-world exploitation risk.
- Complexity: Varies widely due to inconsistent scoring.
- Attack Vector: N/A
## Impact
- Confidentiality: Misrepresentation of risk due to inconsistent scoring causes crucial vulnerabilities to be misprioritized.
- Integrity: Decision-making processes based on faulty scores lead to incorrect security investments.
- Availability: N/A
## Remediation
### Patches
- N/A (This is a critique of the reporting system, not a software flaw requiring a patch.)
### Workarounds
- Contextual triage and threat modeling should be prioritized over relying on raw CVE/CVSS inputs as the sole basis for security strategy.
- Organizations like curl project and the Linux kernel CNA do not provide CVSS scores at all, relying on internal risk judgment.
## Detection
- Indicators of Compromise: N/A
- Detection methods and tools: Dashboards incorporating CVE/CVSS data must be interpreted through a scientific lens, grounded in shared risk understanding.
## References
- Aram Hovespyan (Codific) Blog Post: hxxps://codific.com/appsec-risk-with-cve-and-cvss/
- USENIX Security Paper: hxxps://www.usenix.org/conference/usenixsecurity25/presentation/schloegel
- Curl Project Blog Post: hxxps://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/