Beyond the CVSS: Rethinking the Contextualisation of CVEs in a Connected World

Abstract

In the context of globalized information technology, managing the growing number of Common Vulnerability Exposures (CVE) has become one of the most complex challenges for security teams. CVEs affect everyone: whether you are Microsoft Corporation, a national government, or an ordinary global citizen, no one is immune. The burden on cybersecurity entities is now heavier than ever. The more diverse assets a system holds, the broader its monitoring scope must be. Therefore, to avoid overwhelming operational and security teams, it is crucial to adapt the contextualization of CVEs to address emerging risks proactively and effectively. This involves not only analysing the technical characteristics of vulnerabilities but also considering contextual factors, and the dynamics of the global threat landscape. Relying solely on the CVSS Score is no longer sufficient; the rise of new indicators offers a fresh perspective on how security teams contextualize vulnerabilities. For effective vulnerability management within an environment, it is essential to first assess its level of maturity: from the most basic process, which allows for simple identification of vulnerabilities and asset patching, to the most advanced level, which incorporates the integration of business and IT impacts, the clear identification of priority threat vectors, and a continuous remediation process. However, since the beginning of 2024, the vulnerability management process for entities has been significantly disrupted by the absence of analysis from the NVD (National Vulnerability Database) of the NIST (National Institute of Standards and Technology). As the NVD is the primary source for publishing CVEs, this lack of information has hindered processes, leaving organisations with only partial analysis based on vendor assessments, which are often insufficient and differ from those of the NVD. In this paper, we intend to examine the various levels of maturity that a vulnerability management process must go through during its existence, the definition of the different indicators that characterize CVEs and we will reflect on the dependence of the NVD in the processes.