Can We Trust the Default Vulnerabilities Severity?

Matteo Esposito, Sergio Moreschini, Valentina Lenarduzzi, David Hästbacka, Davide Falessi

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review

6 Downloads (Pure)


As software systems become increasingly complex and interconnected, the risk of security debt has risen significantly, increasing cyber-attacks and data breaches. Vulnerability prioritization is a critical activity in software engineering as it helps identify and address security vulnerabilities in software systems promptly and effectively. With the increasing complexity of software systems and the growing number of potential threats, it is essential to have a systematic approach to vulnerability prioritization to ensure that the most critical vulnerabilities are addressed first. The present study aims to investigate the agreement between the default and the National Vulnerability Database (NVD) severity levels. We analyzed 1626 vulnerabilities encompassing 12 unique types of vulnerabilities associated with 125 Common Platform Enumeration identifiers belonging to 105 Apache projects. Our results show a scarce correlation between the default and NVD severity levels. Thus, the default severity of vulnerabilities is not trustworthy. Moreover, we discovered that, surprisingly, the same type of vulnerability has several NVD severity; therefore, no default prioritization can be accurate based only on the type of vulnerability. Future studies are needed to accurately estimate the priority of vulnerabilities by considering several aspects of vulnerabilities rather than only the type.
Original languageEnglish
Title of host publication2023 IEEE 23rd International Working Conference on Source Code Analysis and Manipulation (SCAM)
Number of pages6
ISBN (Electronic)979-8-3503-0506-7
Publication statusPublished - 2023
Publication typeA4 Article in conference proceedings
EventInternational Working Conference on Source Code Analysis and Manipulation - Bogotá, Colombia
Duration: 2 Oct 20233 Oct 2023

Publication series

ISSN (Electronic)2470-6892


ConferenceInternational Working Conference on Source Code Analysis and Manipulation

Publication forum classification

  • Publication forum level 1


Dive into the research topics of 'Can We Trust the Default Vulnerabilities Severity?'. Together they form a unique fingerprint.

Cite this