Security metrics are not standardized, but inter-national proposals such as the Common Vulnerability ScoringSystem (CVSS) for quantifying the severity of known vulnerabil-ities are widely used. Many CVSS aggregation mechanisms havebeen proposed in the literature. Nevertheless, factors related tothe context of the System Under Test (SUT) are not taken intoaccount in the aggregation process; vulnerabilities that in theoryaffect the SUT, but are not exploitable in reality. We propose aCVSS aggregation algorithm that integrates information aboutthe functionality disruption of the SUT, exploitation difficulty,existence of exploits, and the context where the SUT operates.The aggregation algorithm was applied to OpenPLC V3, showingthat it is capable of filtering out vulnerabilities that cannot beexploited in the real conditions of deployment of the particularsystem. Finally, because of the nature of the proposed algorithm,the result can be interpreted in the same way as a normal CVSS.

翻译：安全指标尚未标准化，但诸如通用漏洞评分系统（CVSS）等用于量化已知漏洞严重性的国际性提议已被广泛采用。文献中提出了多种CVSS聚合机制。然而，与受测系统（SUT）上下文相关的因素并未在聚合过程中得到考虑，这些漏洞在理论上会影响SUT，但在现实中却无法被利用。我们提出了一种CVSS聚合算法，该算法整合了SUT功能中断、利用难度、漏洞利用代码的存在性以及SUT运行上下文等信息。该聚合算法已应用于OpenPLC V3，结果表明它能够过滤掉在该特定系统实际部署条件下无法被利用的漏洞。最后，由于所提算法的特性，其结果可以像常规CVSS一样被解释。