A Survey on Software Vulnerability Exploitability Assessment

Sarah Elder; Md. Rayhanur Rahman; Gage Fringer; Kunal Kapoor; Laurie A. Williams

A Survey on Software Vulnerability Exploitability Assessment

Sarah Elder, Md. Rayhanur Rahman, Gage Fringer, Kunal Kapoor, Laurie A. Williams

Published: 01 Jan 2024, Last Modified: 05 Jan 2025ACM Comput. Surv. 2024EveryoneRevisionsBibTeXCC BY-SA 4.0

Abstract: Knowing the exploitability and severity of software vulnerabilities helps practitioners prioritize vulnerability mitigation efforts. Researchers have proposed and evaluated many different exploitability assessment methods. The goal of this research is to assist practitioners and researchers in understanding existing methods for assessing vulnerability exploitability through a survey of exploitability assessment literature. We identify three exploitability assessment approaches: assessments based on original, manual Common Vulnerability Scoring System, automated Deterministic assessments, and automated Probabilistic assessments. Other than the original Common Vulnerability Scoring System, the two most common sub-categories are Deterministic, Program State based, and Probabilistic learning model assessments.

Loading