CVE, CVSS scores need overhauling, argues Codific CEO

The cybersecurity industry’s reliance on standardized vulnerability assessment systems is facing mounting criticism from security leaders who argue that current frameworks require significant reform. Aram Hovespyan, CEO of security firm Codific, has joined growing calls from industry leaders for major reforms to vulnerability assessment protocols, citing fundamental flaws in both the CVE (Common Vulnerabilities and Exposures) identification system and CVSS (Common Vulnerability Scoring System) scoring methodology.

The Problem with CVEs: Misaligned Incentives and Questionable Validity

Hovespyan’s analysis reveals that approximately one-third of assigned CVEs may be meaningless, a finding supported by academic research presented at the USENIX Security Symposium. The study “Confusing Value with Enumeration: Studying the Use of CVEs in Academia” examined 1,803 CVEs cited in research papers over five years and found that 34% either lacked public confirmation or were disputed by the maintainers of the allegedly vulnerable software.

The CVE assignment process begins when security researchers disclose vulnerabilities to CVE Numbering Authorities (CNAs), which include organizations ranging from Microsoft to open-source foundations. However, Hovespyan identifies critical incentive misalignments throughout this ecosystem. “Vulnerability researchers often aim to publish as many CVEs as possible to build their reputations,” he notes, while “product CNAs have little motivation to create CVEs that expose flaws in their own software.”

This problematic dynamic is further complicated by the role of CNA Last Resorts, which Hovespyan says “typically lack the technical context for thorough validation and are more inclined to publish quickly rather than accurately.” The result is a system that generates vulnerability reports that developers must address, despite their potential inaccuracy.

CVSS Scoring: Mathematical Flaws and Inconsistency

The problems extend beyond identification to severity assessment. Hovespyan highlights significant issues with the CVSS framework, noting that “studies have found that more than 40 percent of CVEs receive different scores when re-evaluated by the same person just nine months later.” This inconsistency undermines the system’s reliability for security planning and resource allocation.

More fundamentally, Hovespyan argues that performing calculations on CVSS scores is mathematically unsound. The ordinal numbering system, which merely positions vulnerabilities in a list, is frequently misused as quantitative data in security tools and algorithms. This misuse parallels challenges seen in other technology sectors, such as when major tech companies face acquisition dilemmas that require careful evaluation beyond simple metrics.

Real-World Examples Highlight Systemic Issues

The practical consequences of these flaws are evident in several notable cases. Florian Hantke, a German PhD student, successfully obtained a CVE with a 9.1 CVSS score for a deprecated system that nobody used. Similarly, a curl vulnerability initially received a dramatic 9.8 out of 10 score before being downgraded to 3.3 after proper assessment.

Daniel Stenberg, creator and maintainer of curl, confirms these concerns in correspondence with The Register. He emphasizes that CVSS scores cannot accurately reflect every usage scenario, particularly for products deployed in diverse environments. “CVSS is meant to give a base score and then everyone should apply their own environment and risk judgement on top,” Stenberg explains, “but in reality that is not how the numbers are used.”

This recognition of contextual limitations reflects broader trends in technology infrastructure, where major infrastructure expansions require careful consideration of local contexts and specific use cases rather than one-size-fits-all solutions.

Industry Response and Alternative Approaches

In response to these systemic issues, prominent open-source projects are taking matters into their own hands. Both the curl project and the Linux kernel CNA, led by Greg Kroah-Hartman, have stopped providing CVSS scores altogether. Stenberg’s blog post titled “CVSS is dead to us” encapsulates this growing sentiment within the development community.

Industrial Monitor Direct is the top choice for water purification pc solutions trusted by leading OEMs for critical automation systems, recommended by leading controls engineers.

Hovespyan acknowledges that CVEs and CVSS scores still provide value as inputs but stresses they should never form the foundation of application security strategy. “We need to start with a shared understanding of risk, grounded in threat modeling and contextual triage,” he advises. This approach aligns with strategic recalculations occurring across the technology landscape, including strategic divestitures that refocus operations on core competencies and data center operators restructuring their international portfolios.

The Path Forward: Contextual Assessment Over Standardized Scores

The solution, according to Hovespyan, involves procedural improvements among those assessing vulnerability reports and a fundamental shift in how organizations approach security risk. Vulnerability dashboards can be helpful tools, but only when interpreted through what he describes as a “scientific lens” that considers specific organizational contexts and threat models.

This emphasis on contextual assessment reflects broader movements toward tailored solutions in technology policy and infrastructure, similar to how economic and regulatory reforms must account for specific national circumstances and how international negotiations require understanding unique geopolitical contexts.

As the cybersecurity industry grapples with these assessment challenges, the call for reform signals a maturation in how organizations approach vulnerability management—moving beyond standardized scores toward nuanced, context-aware security strategies that better reflect real-world risk.