Current frameworks for evaluating security bug severity, such as the Common Vulnerability Scoring System (CVSS), prioritize the ratio of exploitability to impact. This paper suggests that the above approach measures the "known knowns" but inadequately addresses the "known unknowns" especially when there exist multiple possible exploit paths and side effects, which introduce significant uncertainty. This paper introduces the concept of connectedness, which measures how strongly a security bug is connected with different entities, thereby reflecting the uncertainty of impact and the exploit potential. This work highlights the critical but underappreciated role connectedness plays in severity assessments.

翻译：当前评估安全漏洞严重性的框架，如通用漏洞评分系统（CVSS），主要关注可利用性与影响之间的比率。本文认为，上述方法衡量的是“已知的已知”，但未能充分处理“已知的未知”，尤其是在存在多种可能的利用路径和副作用时，这会引入显著的不确定性。本文引入了连通性的概念，用于衡量安全漏洞与不同实体之间的连接强度，从而反映影响的不确定性和利用潜力。这项工作强调了连通性在严重性评估中所起的关键但未被充分重视的作用。