Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Scoring for Security Configuration Settings

Published

Author(s)

Karen A. Scarfone, Peter M. Mell

Abstract

The best-known vulnerability scoring standard, the Common Vulnerability Scoring System (CVSS), is designed to quantify the severity of security-related software flaw vulnerabilities. This paper describes our efforts to determine if CVSS could be adapted for use with a different type of vulnerability: security configuration settings. We have identified significant differences in scoring configuration settings and software flaws and have proposed methods for accommodating those differences. We also generated scores for 187 configuration settings to evaluate the new specification.
Proceedings Title
2008 ACM Workshop on Quality of Protection
Conference Dates
October 27, 2008
Conference Location
Alexandria, VA
Conference Title
4th International Workshop on Quality of Protection

Keywords

Common Vulnerability Scoring System (CVSS), risk assessment, security configuration, vulnerability, vulnerability scoring

Citation

Scarfone, K. and Mell, P. (2008), Vulnerability Scoring for Security Configuration Settings, 2008 ACM Workshop on Quality of Protection, Alexandria, VA, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=152154 (Accessed December 26, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created October 29, 2008, Updated February 17, 2017