Assessing the risks of software vulnerabilities is a key process of software development and security management. This assessment requires to consider multiple factors (technical features, operational environment, involved assets, status of the vulnerability lifecycle, etc.) and may depend from the assessor’s knowledge and skills. In this work, we tackle with an important part of this problem by measuring the accuracy of technical vulnerability assessments by assessors with different level and type of knowledge. We report an experiment to compare how accurately students with different technical education and security professionals are able to assess the severity of software vulnerabilities with the Common Vulnerability Scoring System (v3) industry methodology. Our results could be useful for increasing awareness about the intrinsic subtleties of vulnerability risk assessment and possibly better compliance with regulations. With respect to academic education, professional training and human resources selections our work suggests that measuring the effects of knowledge and expertise on the accuracy of software security assessments is feasible albeit not easy.

中文翻译：

---

衡量软件漏洞评估的准确性：学生和专业人士的实验

评估软件漏洞的风险是软件开发和安全管理的关键过程。这种评估需要考虑多种因素（技术特征、操作环境、涉及的资产、漏洞生命周期的状态等），并且可能取决于评估者的知识和技能。在这项工作中，我们通过测量具有不同知识水平和类型的评估人员的技术漏洞评估的准确性来解决这个问题的一个重要部分。我们报告了一项实验，以比较具有不同技术教育和安全专业人员的学生使用通用漏洞评分系统 (v3) 行业方法评估软件漏洞严重性的准确程度。我们的结果可能有助于提高对漏洞风险评估内在微妙之处的认识，并可能更好地遵守法规。在学术教育、专业培训和人力资源选择方面，我们的工作表明，衡量知识和专业知识对软件安全评估准确性的影响是可行的，尽管并不容易。