Study on the distribution of CVSS environmental score

This paper focuses on analyzing the distribution of CVSS environmental score. Firstly we extract CVSS base score from the NVD database and calculate their corresponding environmental score by simulating all possible combinations of different environmental metrics, then analyze the distribution of the environmental score. Two conclusions are obtained: first, for any given vulnerability, there exists a mode value among all its possible environmental scores; second, the relationships between the maximum decrease or increase of the environmental score and the base score fits particular functions. Finally we use three vulnerabilities provided by NVD as a case study to verify the conclusions proposed in this paper.