Towards Improving CVSS
• White Paper
Software Engineering Institute
In this paper, the authors outline challenges with the Common Vulnerability Scoring System (CVSS) published standard and propose changes to improve it. This paper focuses on common misconceptions and misuses of CVSS. For an alternative system of vulnerability prioritization, see Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization.
The authors have presented a system which overcomes some of these challenges in a new publication, the Stakeholder-specific Vulnerability Categorization: https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=653459.
An updated version of "Towards Improving CVSS" has been published in IEEE Security and Privacy as "Time to Change the CVSS?" https://ieeexplore.ieee.org/document/9382369.