AutoCVSS: Assessing the Performance of LLMs for Automated Software Vulnerability Scoring

Davide Sanvito; Giovanni Arriciati; Giuseppe Siracusano; Roberto Bifulco; Michele Carminati

2025 EMNLP EMNLP 2025

AutoCVSS: Assessing the Performance of LLMs for Automated Software Vulnerability Scoring

Abstract

AbstractThe growing volume of daily disclosed software vulnerabilities imposes significant pressure on security analysts, extending the time needed for analysis - an essential step for accurate risk prioritization.Meanwhile, the time between disclosure and exploitation is reducing, becoming shorter than the analysis time and increasing the window of opportunity for attackers.This study explores leveraging Large Language Models (LLMs) for automating vulnerability risk score prediction using the industrial CVSS standard.From our analysis across different data availability scenarios, LLMs can effectively complement supervised baselines in data-scarce settings. In the absence of any annotated data, such as during the transition to new versions of the standard, LLMs are the only viable approach, highlighting their value in improving vulnerability management.We make the source code of AutoCVSS public at https://github.com/nec-research/AutoCVSS.

🌉 Interdisciplinary Bridge — Artificial Intelligence and Computer Science and Machine Learning and Natural Language Processing

🧭 Keyword Pioneer — cvss standard

🐝 Cross-Pollinator — Artificial Intelligence, Computer Science, Computer Vision, Data Science & Analytics, Deep Learning, Healthcare & Medicine, Interdisciplinary, Knowledge & Reasoning, Machine Learning, Mathematics & Optimization, Natural Language Processing, Reinforcement Learning, Robotics, Security & Privacy, Speech & Audio

Authors

Davide Sanvito , Giovanni Arriciati , Giuseppe Siracusano , Roberto Bifulco , Michele Carminati

Topics

Artificial Intelligence > Core AI > AI Safety Natural Language Processing > Applications > Text Classification Computer Science > Applications > Cybersecurity Artificial Intelligence > Core AI > Large Language Models Machine Learning > Learning Types > Classification

Keywords

text classification risk assessment software security large language model vulnerability scoring cvss standard software vulnerability risk prioritization cvss scoring vulnerability management

Download PDF

Related papers

Bit-Flip Error Resilience in LLMs: A Comprehensive Analysis and Defense Framework 2025

VoiceCraft-X: Unifying Multilingual, Voice-Cloning Speech Synthesis and Speech Editing 2025

Model-based Large Language Model Customization as Service 2025

ZoomEye: Enhancing Multimodal LLMs with Human-Like Zooming Capabilities through Tree-Based Image Exploration 2025

SlideCoder: Layout-aware RAG-enhanced Hierarchical Slide Generation from Design 2025