Analysis of CVSS Vulnerability Base Scores in the Context of Exploits' Availability.

Common Vulnerability Scoring System (CVSS) is a well-established standard for an evaluation of vulnerability criticality in Information and Communication Technology (ICT) infrastructure. In this paper, a particular attention is given to selected aspects of the temporal component of the CVSS 3.x vector. An analysis was performed aimed at relating the information provided by the basic and temporal components of the CVSS 3.x vector using a public vulnerability database of known vulnerabilities, National Vulnerability Database (NVD) created and maintained by the National Institute of Standards and Technology (NIST), and two available publicly exploit databases: Exploit Database and Attacker KB. Histograms were derived from the information available in the databases using python scripts. The results obtained show that some numerical values of base scores obtained applying CVSS v3.x are overrepresented when compared with the respective numbers of available exploits.