CVE, CVSS scores need overhauling, argues Codific CEOwww.theregister.com: CVE and CVSS systems suffer from misaligned incentives and inconsistency

Aram Hovespyan, co-founder and CEO of security biz Codific, says that the rating systems for identifying security vulnerabilities and assessing threat risk need to be overhauled.

Having examined the CVE (Common Vulnerabilities and Exposures) vulnerability identification numbering system, Hovespyan argues that about a third of CVEs are meaningless.

His analysis cites academic research published in August as part of the USENIX Security Symposium. The paper, "Confusing Value with Enumeration: Studying the Use of CVEs in Academia," (Moritz Schloegel et al.), reports that 34 percent of 1,803 CVEs cited in research papers over the past five years either have not been publicly confirmed or have been disputed by maintainers of the supposedly vulnerable software projects. The authors argue that CVEs should not be taken as a proxy for the real-world impact of claimed vulnerabilities.