Dark Web Education Hub

CVSS Score

More resources

The CVSS score: the problem with vulnerability prioritization 

When it comes to prioritizing vulnerabilities for remediation, cybersecurity teams are hindered by a serious obstacle: the Common Vulnerability Scoring System, or CVSS. The system was established in 2005 to help security teams understand the potential impact of attacks that exploit vulnerabilities in software. The CVSS score became the industry standard for evaluating vulnerabilities, ranking them from 0 to 10 in terms of the severity of impact should they be exploited in a cyberattack.

However, CVSS was never meant to be so heavily relied upon. The severity of an individual vulnerability should it be exploited doesn’t correlate to the risk of it being exploited. Only a small percentage (6%) of known vulnerabilities are exploited by attackers, so for security teams to accurately determine which of the almost 200,000 known vulnerabilities should be remediated first, they need to know which weaknesses cybercriminals are most likely to exploit in the near future.

Cybersixgill DVE Intelligence offers a better way to assess vulnerabilities. By analyzing discourse on the deep and dark web – where cybercriminals buy, sell and share information and the tools of their trade – Cybersixgill can accurately predict the probability that a given vulnerability will be exploited in the next 90 days. With this data, security teams can more effectively allocate resources and organize patching cadences to strengthen the security posture of their organizations.

How CVSS scores are determined

CVSS scores are based on several metrics. These begin with the severity of the vulnerability – in other words, how costly an attack that exploits the vulnerability would be in terms of impact on the organization and on the integrity and availability of systems. CVSS scores also consider how easy it is for attackers to exploit the vulnerability and how easy a vulnerability is to remediate.

While these metrics are a good starting point for understanding the risk, CVSS scores are limited in three important ways. 

  • No real-time insight. There’s often a lag – sometimes as long as days or weeks – between the discovery of a vulnerability and until a CVSS score is assigned. This leaves security teams in the dark as to how to prioritize a recently discovered vulnerability.

  • Static scoring. Even though the level of risk changes over time as vulnerabilities are used with greater or lesser frequency, CVSS ratings rarely change. As a result, scores may not accurately reflect how prevalent certain vulnerabilities are in cyberattacks, or how easily they can be remediated after a period of time.

  • No recognition of probability. The CVSS framework offers no insight into the intent of threat actors or the availability of an actual means to exploit the vulnerability in question, so scores do not reflect how likely a vulnerability is to be used in the near future.

To improve the effectiveness of their patching cadences, cybersecurity teams need real-time insight into risk throughout the lifecycle of a vulnerability. That’s exactly what Cybersixgill DVE Intelligence delivers.

Replacing CVSS scores with Cybersixgill DVE Intelligence

Cybersixgill is dedicated to empowering security teams with agile, automated and contextual cyber threat intelligence solutions that preempt attacks – before a threat actor strikes. Our solutions are informed by the broadest threat collection capabilities in the industry. Using advanced AI and machine learning algorithms, we capture, process and alert teams to emerging threats, tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) as they surface on the clear, deep and dark web.

Cybersixgill DVE Intelligence solves the challenges of vulnerability prioritization with CVSS scores by accurately predicting the probability of a CVE being exploited. A dynamic scoring system reflects the likelihood that threat actors will take advantage of a given vulnerability in the next 90 days, helping security teams to focus on addressing the most critical vulnerabilities first.

DVE Intelligence automatically calculates scores for vulnerabilities by analyzing a broad array of intelligence sources. Our fully automated crawlers infiltrate and maintain access to a variety of sources on the clear, deep and dark web. These include limited-access sources that are inaccessible to other threat intelligence vendors, such as underground forums, dark web marketplaces, code repositories and paste sites, as well as social media, blogs and cybersecurity websites on the clear web.

Through continuous, AI-driven, real-time analysis of these various intelligence streams, DVE Intelligence accurately determines the probability that a vulnerability will be exploited in the next 90 days. Each score is backed by a full intelligence audit trail detailing the score’s rationale and underlying threat context, making it easier for security teams to justify actions to peers and superiors.

Why dark web monitoring is essential

The dark web is the go-to channel for threat actors as they seek to anonymously communicate, collaborate and acquire the tools and data they need to carry out attacks. As they interact, these cyber criminals leave footprints that can point to their future plans. It’s common for evidence of planned cybercrimes to appear on the dark web long before they can be found by conventional threat intelligence tools, including telemetry-based solutions.

To help security teams stay ahead of the threat curve, Cybersixgill monitors and tracks activity on a broad array of sources.

  • Underground markets. Marketplaces on the dark web are where cyber criminals buy and sell exploit code kits and other malicious tools that can be used to exploit vulnerabilities for attacks.

  • Underground forums. Forums on the deep and dark web are a common meeting ground for discussions about recently discovered vulnerabilities. This is where cybercriminals share exploit codes and occasionally plan joint attack campaigns.

  • Paste sites. Threat actors share large amounts of text on these sites that often include things such as exploit codes, Metasploit tools and information about various CVEs.

  • Code repositories. Proof-of-concept (POC) exploit codes are published daily on GitHub and labeled “for educational purposes only.” These POC codes often attract a great deal of interest from threat actors’ intent on exploiting them.

  • Social media. Tracking the discourse of threat actors on Twitter, Telegram and other social media platforms can provide early warning about plans to exploit newly discovered vulnerabilities.

  • Blogs, technical feeds, cybersecurity websites. Monitoring these sites can help security professionals understand how common vulnerabilities and exposures (CVEs) have already been weaponized, an indication that they are likely to be exploited again.

Why Cybersixgill?

Cybersixgill provides fully automated threat intelligence solutions that help organizations fight cybercrime, prevent data leaks, detect phishing exploits, stop fraud and prioritize vulnerabilities while amplifying incident response in real-time.

In addition to DVE Intelligence, we provide an Investigative Portal that delivers contextual and actionable insights as well as the ability to conduct deep-dive investigations across our full body of collected intel. Our API intelligence feed leverages our industry-leading deep and dark web monitoring capabilities to supercharge the security stack with the ultimate in underground threat intelligence collection. We understand the daily challenge of managing a flood of irrelevant data and constant alerts. Our solutions are designed to help organizations accurately focus on the specific threats that matter to them.

Our customers include enterprises, financial services corporations, governments, law enforcement entities and managed security services providers.


What are vulnerabilities?

Vulnerabilities are weaknesses or errors in software that can be exploited by malicious actors. Vulnerabilities may allow cybercriminals to gain unauthorized access to IT systems to steal money or data, disrupt business operations, or create damage in other ways.

What is CVE?

Common Vulnerabilities and Exposures, or CVE, is a list of publicly disclosed flaws in computer programs and systems. A CVE may also refer to an individual vulnerability or exposure that is been assigned an ID number in the CVE database. 

What is CVSS?

CVSS stands for the Common Vulnerability Scoring System, an open vulnerability assessment framework for documenting the characteristics of a vulnerability and calculating a score that reflects the vulnerability’s severity should it be exploited. In the vulnerability management lifecycle, security teams have traditionally used CVSS scores for vulnerability prioritization as they determine which vulnerabilities should be remediated first. However, because CVSS scores do not take into account the probability that a vulnerability will be exploited, security teams must incorporate other forms of threat intelligence to determine which vulnerabilities are most likely to be exploited by attackers in the near future.