CVSS 4.0 also has shortcomings, researchers say
The upcoming CVSS 4.0 framework introduces expanded impact metrics, refined temporal metrics, and new supplemental metrics to improve assessment accuracy. However, issues including a lack of consideration of privacy concerns and advanced persistent threat (APT) associations remain, according to the JPMorganChase security researchers.
JPMorganChase has put together a framework to factor in the lack of APT and exploitability weighting and the issue of dependencies. The financial services giant has developed a conceptual design it is encouraging other members of the security community to review and participate in further refining.
In response to a question from CSO, Syed Islam, a principal security architect at JPMorganChase, acknowledged that only organizations that had achieved a degree of security maturity — for example by having an inventory of technologies and applications upon which their business relies — would benefit substantially from applying its vulnerability assessment methodology.