Security researchers at JPMorganChase have raised concerns about the upcoming CVSS 4.0 framework, pointing out some key shortcomings that they believe need to be addressed in order to improve the accuracy of vulnerability assessments. While the new framework does introduce some enhancements such as expanded impact metrics, refined temporal metrics, and new supplemental metrics, it fails to adequately consider important factors such as privacy concerns and associations with advanced persistent threats (APTs).
The researchers have identified a lack of consideration for APT associations and exploitability weighting as major issues with the current framework. They have also highlighted the issue of dependencies, noting that these factors can significantly impact the overall assessment of vulnerabilities. In response to these concerns, JPMorganChase has developed a new conceptual design that aims to address these shortcomings and enhance the effectiveness of vulnerability assessments.
Syed Islam, a principal security architect at JPMorganChase, has emphasized the importance of security maturity in effectively applying the vulnerability assessment methodology proposed by the financial services giant. He noted that organizations with a high level of security maturity, such as those with a comprehensive inventory of technologies and applications, stand to benefit the most from implementing the new framework.
While the CVSS 4.0 framework represents a step forward in improving vulnerability assessments, the researchers at JPMorganChase believe that there is still work to be done to ensure its effectiveness. By incorporating considerations for APT associations, exploitability weighting, and dependencies, the framework can provide a more comprehensive and accurate assessment of potential vulnerabilities.
In order to further refine and validate their proposed conceptual design, JPMorganChase is calling on members of the security community to review and provide feedback. By collaborating with industry experts and stakeholders, the financial services giant hopes to enhance the overall effectiveness of vulnerability assessments and strengthen cybersecurity practices across organizations.
Overall, the researchers at JPMorganChase are advocating for a more holistic approach to vulnerability assessment that takes into account a broader range of factors, including APT associations and exploitability weighting. By addressing these shortcomings and refining the CVSS 4.0 framework, they aim to improve the accuracy and reliability of vulnerability assessments and ultimately enhance cybersecurity defenses in the face of evolving threats.