The Common Vulnerability Scoring System (CVSS) is a popular method for evaluating the severity of vulnerabilities in vulnerability management. In the evaluation process, a numeric score between 0 and 10 is calculated, 10 being the most severe (critical) value. The goal of CVSS is to provide comparable scores across different evaluators. However, previous works indicate that CVSS might not reach this goal: If a vulnerability is evaluated by several analysts, their scores often differ. This raises the following questions: Are CVSS evaluations consistent? Which factors influence CVSS assessments? We systematically investigate these questions in an online survey with 196 CVSS users. We show that specific CVSS metrics are inconsistently evaluated for widespread vulnerability types, including Top 3 vulnerabilities from the ''2022 CWE Top 25 Most Dangerous Software Weaknesses'' list. In a follow-up survey with 59 participants, we found that for the same vulnerabilities from the main study, 68% of these users gave different severity ratings. Our study reveals that most evaluators are aware of the problematic aspects of CVSS, but they still see CVSS as a useful tool for vulnerability assessment. Finally, we discuss possible reasons for inconsistent evaluations and provide recommendations on improving the consistency of scoring.

翻译：通用漏洞评分系统（CVSS）是漏洞管理中评估严重性的常用方法。评估过程中会计算0到10之间的数值，其中10代表最严重（关键）的等级。CVSS的目标是为不同评估者提供可比较的评分。然而，先前研究表明CVSS可能无法实现这一目标：当同一漏洞由多位分析师评估时，他们的评分往往存在差异。这引发了以下问题：CVSS评估是否具有一致性？哪些因素会影响CVSS评估？我们通过一项涉及196名CVSS用户的在线调查系统性地探讨了这些问题。研究表明，对于广泛存在的漏洞类型，包括"2022 CWE最危险软件缺陷25强"榜单中排名前三的漏洞，特定CVSS指标的评估存在不一致性。在后续对59名参与者的调查中，我们发现针对主研究中相同的漏洞，68%的用户给出了不同的严重性等级。我们的研究揭示，大多数评估者意识到CVSS存在的问题，但仍将其视为漏洞评估的有效工具。最后，我们探讨了导致评估不一致的可能原因，并提出了改进评分一致性的建议。