Background: Timely prioritising and remediating vulnerabilities are paramount in the dynamic cybersecurity field, and one of the most widely used vulnerability scoring systems (CVSS) does not address the increasing likelihood of emerging an exploit code. Aims: We present SecScore, an innovative vulnerability severity score that enhances CVSS Threat metric group with statistical models from empirical evidences of real-world exploit codes. Method: SecScore adjusts the traditional CVSS score using an explainable and empirical method that more accurately and promptly captures the dynamics of exploit code development. Results: Our approach can integrate seamlessly into the assessment/prioritisation stage of several vulnerability management processes, improving the effectiveness of prioritisation and ensuring timely remediation. We provide real-world statistical analysis and models for a wide range of vulnerability types and platforms, demonstrating that SecScore is flexible according to the vulnerability's profile. Comprehensive experiments validate the value and timeliness of SecScore in vulnerability prioritisation. Conclusions: SecScore advances the vulnerability metrics theory and enhances organisational cybersecurity with practical insights.

翻译：背景：在动态网络安全领域，及时优先处理和修复漏洞至关重要，而最广泛使用的漏洞评分系统（CVSS）并未解决利用代码出现可能性日益增加的问题。目的：我们提出SecScore，一种创新的漏洞严重性评分，通过实际利用代码的经验证据中的统计模型增强CVSS威胁指标组。方法：SecScore使用可解释且基于经验的方法调整传统CVSS评分，更准确且及时地捕捉利用代码开发的动态性。结果：我们的方法可以无缝集成到多个漏洞管理流程的评估/优先级划分阶段，提高优先级划分的有效性并确保及时修复。我们针对广泛的漏洞类型和平台提供了实际统计分析及模型，证明SecScore能根据漏洞特征灵活调整。综合实验验证了SecScore在漏洞优先级划分中的价值和时效性。结论：SecScore推进了漏洞度量理论，并通过实用见解增强了组织的网络安全。