Awesome Security Vulnerability Assessment

An ever-growing list of resources for data-driven vulnerability assessment and prioritization

Your contributions are always welcome. Please see the Contributing section below for more information.

This list is orginated from the survey paper, published in the ACM Computing Surveys journal: "A Survey on Data-Driven Software Vulnerability Assessment and Prioritization"

The papers are organized based on the taxonomy of tasks in the following figure:

Table of Contents

• List of Papers
• Task-wise Papers
  • Exploitability Prediction
    • Exploit Likelihood
    • Exploit Time
    • Exploit Characteristics
  • Impact Prediction
    • Confidentiality, Integrity, Availability and Scope
    • Custom Vulnerability Consequences
  • Severity Prediction
    • Severe vs. Non-Severe
    • Severity Levels
    • Severity Score
  • Type Prediction
    • Common Weakness Enumeration (CWE)
    • Custom Vulnerability Types
  • Miscellaneous Tasks
    • Vulnerability Information Retrieval
    • Cross-source Vulnerability Patterns
    • Vulnerability Fixing Effort
• Vulnerability Data
  • Vulnerability databases
  • Security advisories
  • Other sources
• Contributing
• Citation

List of Papers

The papers are sorted by time (newest to oldest)

• CoLeFunDa: Explainable Silent Vulnerability Fix Identification (2023) - This work predicts CWE and CVSS exploitability to explain why a commit fixes a vulnerability
• Fine-grained Commit-level Vulnerability Type Prediction by CWE Tree Structure (2023)
• Automated event extraction of CVE descriptions (2023)
• An automatic classification algorithm for software vulnerability based on weighted word vector and fusion neural network (2023)
• Silent Vulnerable Dependency Alert Prediction with Vulnerability Key Aspect Explanation (2023)
• Impact of Word Embedding Methods on Software Vulnerability Severity Prediction Models (2023)
• Assessing Vulnerability from Its Description (2023)
• Automation of Vulnerability Information Extraction Using Transformer-Based Language Models (2022)
• A Software Security Entity Relationships Prediction Framework Based on Knowledge Graph Embedding Using Sentence-Bert (2022)
• Extraction of Phrase-based Concepts in Vulnerability Descriptions through Unsupervised Labeling (2022)
• Sourcing Language Models and Text Information for Inferring Cyber Threat, Vulnerability and Mitigation Relationships (2022)
• On the Use of Fine-grained Vulnerable Code Statements for Software Vulnerability Assessment Models (2022)
• Predicting severity of software vulnerability based on BERT-CNN (2022)
• Exploitability Assessment with Genetically Tuned Interconnected Neural Networks (2022)
• Challenges on prioritizing software patching (2022)
• Using Federated Learning to Predict Vulnerability Exploitability (2022)
• Evaluating Text Augmentation for Boosting the Automatic Mapping of Vulnerability Information to Adversary Techniques (2022)
• Common Vulnerability Scoring System Prediction based on Open Source Intelligence Information Sources (2022)
• Predicting the Severity and Exploitability of Vulnerability Reports using Convolutional Neural Nets (2022)
• A semi-supervised vulnerability management system (2022)
• Automatic software vulnerability classification by extracting vulnerability triggers (2022)
• OS-Aware Vulnerability Prioritization via Differential Severity Analysis (2022)
• Knowledge-Driven Cybersecurity intelligence: Software Vulnerability Co-exploitation Behaviour Discovery (2022)
• Multi-label Positive and Unlabeled Learning and its Application to Common Vulnerabilities and Exposure Categorization (2021)
• Machine Learning Based Approach for the Automated Mapping of Discovered Vulnerabilities to Adversial Tactics (2021)
• Automated security assessment for the internet of things (2021)

---------Paper included in the survey---------

• Vulnerability exploitation time prediction: an integrated framework for dynamic imbalanced learning (2022)
• An automatic algorithm for software vulnerability classification based on CNN and GRU (2022)
• A Deep Learning Approach for Classifying Vulnerability Descriptions Using Self Attention Based Neural Network (2022)
• V2W-BERT: A Framework for Effective Hierarchical Multiclass Classification of Software Vulnerabilities (2021)
• Unsupervised Labeling and Extraction of Phrase-based Concepts in Vulnerability Descriptions (2021)
• Tracing CAPEC Attack Patterns from CVE Vulnerability Information using Natural Language Processing Technique (2021)
• Severity Prediction of Software Vulnerabilities based on their Text Description (2021)
• Severity Prediction of Software Vulnerabilities Using Textual Data (2021)
• Predicting the existence of exploitation concepts linked to software vulnerabilities using text mining (2021)
• Predicting entity relations across different security databases by using graph attention network (2021)
• Predicting Vulnerability Type in Common Vulnerabilities and Exposures (CVE) Database with Machine Learning Classifiers (2021)
• OVANA: An Approach to Analyze and Improve the Information Quality of Vulnerability Databases (2021)
• NL2Vul: Natural Language to Standard Vulnerability Score for Cloud Security Posture Management (2021)
• Linking Common Vulnerabilities and Exposures to the MITRE ATT&CK Framework: A Self-Distillation Approach (2021)
• Key aspects augmentation of vulnerability description based on multiple security databases (2021)
• Generating Informative CVE Description From ExploitDB Posts by Extractive Summarization (2021)
• Few-Sample Named Entity Recognition for Security Vulnerability Reports by Fine-Tuning Pre-Trained Language Models (2021)
• Expected Exploitability: Predicting the Development of Functional Vulnerability Exploits (2021)
• Detecting and Augmenting Missing Key Aspects in Vulnerability Descriptions (2021)
• DeepCVA: Automated Commit-level Vulnerability Assessment with Deep Multi-task Learning (2021)
• CVSS-BERT: Explainable Natural Language Processing to Determine the Severity of a Computer Security Vulnerability from its Description (2021)
• Automatic Part-of-Speech Tagging for Security Vulnerability Descriptions (2021)
• Automatic Classification of Vulnerabilities using Deep Learning and Machine Learning Algorithms (2021)
• A tree-based machine learning methodology to automatically classify software vulnerabilities (2021)
• A multiclass hybrid approach to estimating software vulnerability vectors and severity score (2021)
• A Framework for Modeling Cyber Attack Techniques from Security Vulnerability Descriptions (2021)
• A Character-Level Convolutional Neural Network for Predicting Exploitability of Vulnerability (2021)
• Topic Modeling And Classification Of Common Vulnerabilities And Exposures Database (2020)
• ThreatZoom: CVE2CWE using Hierarchical Neural Network (2020)
• The effect of Bellwether analysis on software vulnerability severity prediction models (2020)
• Software vulnerability prioritization using vulnerability description (2020)
• Predicting Missing Information of Key Aspects in Vulnerability Reports (2020)
• LDA Categorization of Security Bug Reports in Chromium Projects (2020)
• Improving vulnerability remediation through better exploit prediction (2020)
• Fighting N-day vulnerabilities with automated CVSS vector prediction at disclosure (2020)
• FastEmbed: Predicting vulnerability exploitation possibility based on ensemble machine learning algorithm (2020)
• Exploitability prediction of software vulnerabilities (2020)
• Evaluating the Performance of Twitter-based Exploit Detectors (2020)
• Dynamic Software Vulnerabilities Threat Prediction through Social Media Contextual Analysis (2020)
• Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses (2020)
• Automation of Vulnerability Classification from its Description using Machine Learning (2020)
• Automated CPE Labeling of CVE Summaries with Machine Learning (2020)
• Apply transfer learning to cybersecurity: Predicting exploitability of vulnerabilities by description (2020)
• An Automatic Software Vulnerability Classification Framework Using Term Frequency-Inverse Gravity Moment and Feature Selection (2020)
• An Automated, End-to-End Framework for Modeling Attacks From Vulnerability Descriptions (2020)
• An Approach to Discover and Assess Vulnerability Severity Automatically in Cyber-Physical Systems (2020)
• A vulnerability analysis and prediction framework (2020)
• A General Framework to Understand Vulnerabilities in Information Systems (2020)
• Vulnerability Severity Prediction With Deep Neural Network (2019)
• VEST: A System for Vulnerability Exploit Scoring & Timing (2019)
• VASE: A Twitter-based Vulnerability Analysis and Score Engine (2019)
• Using twitter to predict when vulnerabilities will be exploited (2019)
• Towards the Detection of Inconsistencies in Public Security Vulnerability Reports (2019)
• Summarizing Vulnerabilities' Descriptions to Support Experts during Vulnerability Assessment Activities (2019)
• Patch Before Exploited: An Approach to Identify Targeted Software Vulnerabilities (2019)
• Mentions of security vulnerabilities on Reddit, Twitter and GitHub (2019)
• Joint prediction of multiple vulnerability characteristics through multi-task learning (2019)
• Intelligent Prediction of Vulnerability Severity Level Based on Text Mining and XGBboost (2019)
• Improving the Accuracy of Vulnerability Report Classification Using Term Frequency-Inverse Gravity Moment (2019)
• Exploit prediction scoring system (EPSS) (2019)
• Embedding and Predicting Software Security Entity Relationships: A Knowledge Graph Based Approach (2019)
• Character-Level Convolutional Neural Network for Predicting Severity of Software Vulnerability from Vulnerability Description (2019)
• Automatic Classification Method for Software Vulnerability Based on Deep Neural Network (2019)
• Automated software vulnerability assessment with concept drift (2019)
• Automated Classification of Attacker Privileges Based on Deep Neural Network (2019)
• Automated Characterization of Software Vulnerabilities (2019)
• Analyzing CVE Database Using Unsupervised Topic Modelling (2019)
• A conceptual replication on predicting the severity of software vulnerabilities (2019)
• µVulDeePecker: A deep learning-based system for multiclass vulnerability detection (2019)
• Toward Validation of Textual Information Retrieval Techniques for Software Weaknesses (2018)
• From patching delays to infection symptoms: Using risk profiles for an early discovery of vulnerabilities exploited in the wild (2018)
• Deepweak: Reasoning common software weaknesses via knowledge graph embedding (2018)
• Darkembed: Exploit prediction with neural language models (2018)
• Automatically assessing vulnerabilities discovered by compositional analysis (2018)
• Automatic Vulnerability Classification Using Machine Learning (2018)
• Automated Generation of Attack Graphs Using NVD (2018)
• Assisting Vulnerability Detection by Prioritizing Crashes with Incremental Learning (2018)
• Analyzing Evolving Trends of Vulnerabilities in National Vulnerability Database (2018)
• A multi-target approach to estimate software vulnerability characteristics and severity scores (2018)
• Time for addressing software security issues: Prediction models and impacting factors (2017)
• Proactive identification of exploits in the wild through vulnerability mentions online (2017)
• Predicting exploitation of disclosed software vulnerabilities using open-source data (2017)
• Machine learning in vulnerability databases (2017)
• Learning to predict severity of software vulnerability using only vulnerability description (2017)
• ExploitMeter: Combining Fuzzing with Machine Learning for Automated Evaluation of Software Exploitability (2017)
• Exniffer: Learning to prioritize crashes by assessing the exploitability from memory dump (2017)
• Classifying Web Exploits with Topic Modeling (2017)
• Assessment of vulnerability severity using text mining (2017)
• Mining trends and patterns of software vulnerabilities (2016)
• Associating the Severity of Vulnerabilities with their Description (2016)
• An automatic method for CVSS score prediction using vulnerabilities description (2016)
• A study on the classification of Common Vulnerabilities and Exposures using Naive Bayes (2016)
• Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits (2015)
• Text-mining approach for estimating vulnerability score (2015)
• Predicting exploit likelihood for cyber vulnerabilities with machine learning (2015)
• Predicting Vulnerability Exploits in the Wild (2015)
• A novel automatic severity vulnerability assessment framework (2015)
• Using software structure to predict vulnerability exploitation potential (2014)
• Automated extraction of vulnerability information for home computer security (2014)
• Automatic classification for vulnerability based on machine learning (2013)
• Vulnerability categorization using Bayesian networks (2010)
• Security trend analysis with CVE topic models (2010)
• Beyond heuristics: learning to classify vulnerabilities and predict exploits (2010)
• A Categorization Framework for Common Computer Vulnerabilities and Exposures (2010)
• Standardising vulnerability categories (2008)

Task-wise Papers

The description of each of the task can be found in the survey paper. Note: Some of the newer papers after the survey were published may not be categorized according to the task as I'm quite busy at the moment. Any contributions to help categorize the new papers are always welcome and highly appreciated.

Exploitability Prediction

Exploit Likelihood

• Knowledge-Driven Cybersecurity intelligence: Software Vulnerability Co-exploitation Behaviour Discovery (2022)
• Predicting the Severity and Exploitability of Vulnerability Reports using Convolutional Neural Nets (2022)
• Common Vulnerability Scoring System Prediction based on Open Source Intelligence Information Sources (2022)
• Using Federated Learning to Predict Vulnerability Exploitability (2022)
• Exploitability Assessment with Genetically Tuned Interconnected Neural Networks (2022)
• Challenges on prioritizing software patching (2022)
• Predicting the existence of exploitation concepts linked to software vulnerabilities using text mining (2021)
• A Character-Level Convolutional Neural Network for Predicting Exploitability of Vulnerability (2021)
• Expected Exploitability: Predicting the Development of Functional Vulnerability Exploits (2021)
• Improving vulnerability remediation through better exploit prediction (2020)
• FastEmbed: Predicting vulnerability exploitation possibility based on ensemble machine learning algorithm (2020)
• Exploitability prediction of software vulnerabilities (2020)
• Evaluating the Performance of Twitter-based Exploit Detectors (2020)
• Dynamic Software Vulnerabilities Threat Prediction through Social Media Contextual Analysis (2020)
• Apply transfer learning to cybersecurity: Predicting exploitability of vulnerabilities by description (2020)
• Patch Before Exploited: An Approach to Identify Targeted Software Vulnerabilities (2019)
• From patching delays to infection symptoms: Using risk profiles for an early discovery of vulnerabilities exploited in the wild (2018)
• Darkembed: Exploit prediction with neural language models (2018)
• Assisting Vulnerability Detection by Prioritizing Crashes with Incremental Learning (2018)
• Proactive identification of exploits in the wild through vulnerability mentions online (2017)
• Predicting exploitation of disclosed software vulnerabilities using open-source data (2017)
• ExploitMeter: Combining Fuzzing with Machine Learning for Automated Evaluation of Software Exploitability (2017)
• Exniffer: Learning to prioritize crashes by assessing the exploitability from memory dump (2017)
• Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits (2015)
• Predicting exploit likelihood for cyber vulnerabilities with machine learning (2015)
• Predicting Vulnerability Exploits in the Wild (2015)
• Using software structure to predict vulnerability exploitation potential (2014)
• Beyond heuristics: learning to classify vulnerabilities and predict exploits (2010)

Exploit Time

• Vulnerability exploitation time prediction: an integrated framework for dynamic imbalanced learning (2022)
• VEST: A System for Vulnerability Exploit Scoring & Timing (2019)
• Using twitter to predict when vulnerabilities will be exploited (2019)
• Exploit prediction scoring system (EPSS) (2019)
• Predicting exploit likelihood for cyber vulnerabilities with machine learning (2015)
• Beyond heuristics: learning to classify vulnerabilities and predict exploits (2010)

Exploit Characteristics

• CoLeFunDa: Explainable Silent Vulnerability Fix Identification (2023)
• Assessing Vulnerability from Its Description (2023)
• OS-Aware Vulnerability Prioritization via Differential Severity Analysis (2022)
• On the Use of Fine-grained Vulnerable Code Statements for Software Vulnerability Assessment Models (2022)
• DeepCVA: Automated Commit-level Vulnerability Assessment with Deep Multi-task Learning (2021)
• Automated security assessment for the internet of things (2021)
• NL2Vul: Natural Language to Standard Vulnerability Score for Cloud Security Posture Management (2021)
• Severity Prediction of Software Vulnerabilities based on their Text Description (2021)
• CVSS-BERT: Explainable Natural Language Processing to Determine the Severity of a Computer Security Vulnerability from its Description (2021)
• A multiclass hybrid approach to estimating software vulnerability vectors and severity score (2021)
• OVANA: An Approach to Analyze and Improve the Information Quality of Vulnerability Databases (2021)
• Tracing CAPEC Attack Patterns from CVE Vulnerability Information using Natural Language Processing Technique (2021)
• Fighting N-day vulnerabilities with automated CVSS vector prediction at disclosure (2020)
• An Approach to Discover and Assess Vulnerability Severity Automatically in Cyber-Physical Systems (2020)
• VEST: A System for Vulnerability Exploit Scoring & Timing (2019)
• Joint prediction of multiple vulnerability characteristics through multi-task learning (2019)
• Automated software vulnerability assessment with concept drift (2019)
• Automated Classification of Attacker Privileges Based on Deep Neural Network (2019)
• Automatically assessing vulnerabilities discovered by compositional analysis (2018)
• Automatic Vulnerability Classification Using Machine Learning (2018)
• Automated Generation of Attack Graphs Using NVD (2018)
• A multi-target approach to estimate software vulnerability characteristics and severity scores (2018)
• Classifying Web Exploits with Topic Modeling (2017)
• Associating the Severity of Vulnerabilities with their Description (2016)
• Text-mining approach for estimating vulnerability score (2015)
• A novel automatic severity vulnerability assessment framework (2015)
• A Categorization Framework for Common Computer Vulnerabilities and Exposures (2010)

Impact Prediction

Confidentiality, Integrity, Availability and Scope

• Common Vulnerability Scoring System Prediction based on Open Source Intelligence Information Sources (2022)
• On the Use of Fine-grained Vulnerable Code Statements for Software Vulnerability Assessment Models (2022)
• DeepCVA: Automated Commit-level Vulnerability Assessment with Deep Multi-task Learning (2021)
• Automated security assessment for the internet of things (2021)
• NL2Vul: Natural Language to Standard Vulnerability Score for Cloud Security Posture Management (2021)
• Severity Prediction of Software Vulnerabilities based on their Text Description (2021)
• CVSS-BERT: Explainable Natural Language Processing to Determine the Severity of a Computer Security Vulnerability from its Description (2021)
• A multiclass hybrid approach to estimating software vulnerability vectors and severity score (2021)
• OVANA: An Approach to Analyze and Improve the Information Quality of Vulnerability Databases (2021)
• Fighting N-day vulnerabilities with automated CVSS vector prediction at disclosure (2020)
• An Approach to Discover and Assess Vulnerability Severity Automatically in Cyber-Physical Systems (2020)
• VEST: A System for Vulnerability Exploit Scoring & Timing (2019)
• Joint prediction of multiple vulnerability characteristics through multi-task learning (2019)
• Automated software vulnerability assessment with concept drift (2019)
• Automatically assessing vulnerabilities discovered by compositional analysis (2018)
• Automatic Vulnerability Classification Using Machine Learning (2018)
• A multi-target approach to estimate software vulnerability characteristics and severity scores (2018)
• Associating the Severity of Vulnerabilities with their Description (2016)
• Text-mining approach for estimating vulnerability score (2015)
• A novel automatic severity vulnerability assessment framework (2015)

Custom Vulnerability Consequences

• A Categorization Framework for Common Computer Vulnerabilities and Exposures (2009)

Severity Prediction

Severe vs. Non-Severe

• Severity Prediction of Software Vulnerabilities Using Textual Data (2021)
• The effect of Bellwether analysis on software vulnerability severity prediction models (2020)
• An Automatic Software Vulnerability Classification Framework Using Term Frequency-Inverse Gravity Moment and Feature Selection (2020)
• Improving the Accuracy of Vulnerability Report Classification Using Term Frequency-Inverse Gravity Moment (2019)

Severity Levels

• Impact of Word Embedding Methods on Software Vulnerability Severity Prediction Models (2023)
• Assessing Vulnerability from Its Description (2023)
• Predicting the Severity and Exploitability of Vulnerability Reports using Convolutional Neural Nets (2022)
• Predicting severity of software vulnerability based on BERT-CNN (2022)
• On the Use of Fine-grained Vulnerable Code Statements for Software Vulnerability Assessment Models (2022)
• DeepCVA: Automated Commit-level Vulnerability Assessment with Deep Multi-task Learning (2021)
• Severity Prediction of Software Vulnerabilities based on their Text Description (2021)
• Software vulnerability prioritization using vulnerability description (2020)
• A General Framework to Understand Vulnerabilities in Information Systems (2020)
• Vulnerability Severity Prediction With Deep Neural Network (2019)
• Joint prediction of multiple vulnerability characteristics through multi-task learning (2019)
• Intelligent Prediction of Vulnerability Severity Level Based on Text Mining and XGBboost (2019)
• Character-Level Convolutional Neural Network for Predicting Severity of Software Vulnerability from Vulnerability Description (2019)
• Automated software vulnerability assessment with concept drift (2019)
• A conceptual replication on predicting the severity of software vulnerabilities (2019)
• Learning to predict severity of software vulnerability using only vulnerability description (2017)
• Assessment of vulnerability severity using text mining (2017)
• An automatic method for CVSS score prediction using vulnerabilities description (2016)
• A Categorization Framework for Common Computer Vulnerabilities and Exposures (2010)

Severity Score

• Assessing Vulnerability from Its Description (2023)
• Common Vulnerability Scoring System Prediction based on Open Source Intelligence Information Sources (2022)
• NL2Vul: Natural Language to Standard Vulnerability Score for Cloud Security Posture Management (2021)
• Severity Prediction of Software Vulnerabilities based on their Text Description (2021)
• CVSS-BERT: Explainable Natural Language Processing to Determine the Severity of a Computer Security Vulnerability from its Description (2021)
• A multiclass hybrid approach to estimating software vulnerability vectors and severity score (2021)
• OVANA: An Approach to Analyze and Improve the Information Quality of Vulnerability Databases (2021)
• Fighting N-day vulnerabilities with automated CVSS vector prediction at disclosure (2020)
• Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses (2020)
• An Approach to Discover and Assess Vulnerability Severity Automatically in Cyber-Physical Systems (2020)
• VEST: A System for Vulnerability Exploit Scoring & Timing (2019)
• VASE: A Twitter-based Vulnerability Analysis and Score Engine (2019)
• A conceptual replication on predicting the severity of software vulnerabilities (2019)
• Automatically assessing vulnerabilities discovered by compositional analysis (2018)
• A multi-target approach to estimate software vulnerability characteristics and severity scores (2018)
• Associating the Severity of Vulnerabilities with their Description (2016)
• A novel automatic severity vulnerability assessment framework (2015)

Type Prediction

Common Weakness Enumeration (CWE)

• CoLeFunDa: Explainable Silent Vulnerability Fix Identification (2023)
• Fine-grained Commit-level Vulnerability Type Prediction by CWE Tree Structure (2023)
• An automatic classification algorithm for software vulnerability based on weighted word vector and fusion neural network (2023)
• Automatic software vulnerability classification by extracting vulnerability triggers (2022)
• An automatic algorithm for software vulnerability classification based on CNN and GRU (2022)
• A Deep Learning Approach for Classifying Vulnerability Descriptions Using Self Attention Based Neural Network (2022)
• Multi-label Positive and Unlabeled Learning and its Application to Common Vulnerabilities and Exposure Categorization (2021)
• Predicting Vulnerability Type in Common Vulnerabilities and Exposures (CVE) Database with Machine Learning Classifiers (2021)
• A tree-based machine learning methodology to automatically classify software vulnerabilities (2021)
• V2W-BERT: A Framework for Effective Hierarchical Multiclass Classification of Software Vulnerabilities (2021)
• ThreatZoom: CVE2CWE using Hierarchical Neural Network (2020)
• Automation of Vulnerability Classification from its Description using Machine Learning (2020)
• Automatic Classification Method for Software Vulnerability Based on Deep Neural Network (2019)
• µVulDeePecker: A deep learning-based system for multiclass vulnerability detection (2019)
• Toward Validation of Textual Information Retrieval Techniques for Software Weaknesses (2018)
• Deepweak: Reasoning common software weaknesses via knowledge graph embedding (2018)
• Machine learning in vulnerability databases (2017)
• Mining trends and patterns of software vulnerabilities (2016)
• A study on the classification of Common Vulnerabilities and Exposures using Naive Bayes (2016)
• Automatic classification for vulnerability based on machine learning (2013)
• Vulnerability categorization using Bayesian networks (2010)

Custom Vulnerability Types

• Automatic Classification of Vulnerabilities using Deep Learning and Machine Learning Algorithms (2021)
• Topic Modeling And Classification Of Common Vulnerabilities And Exposures Database (2020)
• LDA Categorization of Security Bug Reports in Chromium Projects (2020)
• A vulnerability analysis and prediction framework (2020)
• A General Framework to Understand Vulnerabilities in Information Systems (2020)
• Summarizing Vulnerabilities' Descriptions to Support Experts during Vulnerability Assessment Activities (2019)
• Analyzing CVE Database Using Unsupervised Topic Modelling (2019)
• Analyzing Evolving Trends of Vulnerabilities in National Vulnerability Database (2018)
• ExploitMeter: Combining Fuzzing with Machine Learning for Automated Evaluation of Software Exploitability (2017)
• Security trend analysis with CVE topic models (2010)
• Standardising vulnerability categories (2008)

Miscellaneous Tasks

Vulnerability Information Retrieval

• Silent Vulnerable Dependency Alert Prediction with Vulnerability Key Aspect Explanation (2023)
• Automated event extraction of CVE descriptions (2023)
• Automatic software vulnerability classification by extracting vulnerability triggers (2022)
• Extraction of Phrase-based Concepts in Vulnerability Descriptions through Unsupervised Labeling (2022)
• Automation of Vulnerability Information Extraction Using Transformer-Based Language Models (2022)
• OVANA: An Approach to Analyze and Improve the Information Quality of Vulnerability Databases (2021)
• Unsupervised Labeling and Extraction of Phrase-based Concepts in Vulnerability Descriptions (2021)
• Few-Sample Named Entity Recognition for Security Vulnerability Reports by Fine-Tuning Pre-Trained Language Models (2021)
• Generating Informative CVE Description From ExploitDB Posts by Extractive Summarization (2021)
• Detecting and Augmenting Missing Key Aspects in Vulnerability Descriptions (2021)
• Automatic Part-of-Speech Tagging for Security Vulnerability Descriptions (2021)
• A Framework for Modeling Cyber Attack Techniques from Security Vulnerability Descriptions (2021)
• Predicting Missing Information of Key Aspects in Vulnerability Reports (2020)
• Automated CPE Labeling of CVE Summaries with Machine Learning (2020)
• An Automated, End-to-End Framework for Modeling Attacks From Vulnerability Descriptions (2020)
• Towards the Detection of Inconsistencies in Public Security Vulnerability Reports (2019)
• Automated Characterization of Software Vulnerabilities (2019)
• Automated extraction of vulnerability information for home computer security (2014)

Cross-source Vulnerability Patterns

• Evaluating Text Augmentation for Boosting the Automatic Mapping of Vulnerability Information to Adversary Techniques (2022)
• Sourcing Language Models and Text Information for Inferring Cyber Threat, Vulnerability and Mitigation Relationships (2022)
• A Software Security Entity Relationships Prediction Framework Based on Knowledge Graph Embedding Using Sentence-Bert (2022)
• Machine Learning Based Approach for the Automated Mapping of Discovered Vulnerabilities to Adversial Tactics (2021)
• Key aspects augmentation of vulnerability description based on multiple security databases (2021)
• Predicting entity relations across different security databases by using graph attention network (2021)
• Linking Common Vulnerabilities and Exposures to the MITRE ATT&CK Framework: A Self-Distillation Approach (2021)
• Mentions of security vulnerabilities on Reddit, Twitter and GitHub (2019)
• Embedding and Predicting Software Security Entity Relationships: A Knowledge Graph Based Approach (2019)

Vulnerability Fixing Effort

• Time for addressing software security issues: Prediction models and impacting factors (2017)

Vulnerability Data

Please note that not all of the following data are open-source

Vulnerability databases

• National Vulnerability Database
• Common Vulnerabilities and Exposures
• Common Weakness Enumeration
• Common Attack Pattern Enumeration and Classification
• Common Product Enumeration
• MITRE ATT&CK Framework
• CVE Details
• Snyk
• Secunia vulnerability database
• ICS Cert
• Vulners
• Software Assurance Reference Dataset (SARD)
• Chinese Vulnerability Database

Security advisories

• ExploitDB
• SecurityFocus
• AlienVault
• Proofpoint
• Fortinet
• GreyNoise
• SecurityTracker
• Openwall
• X-Force
• Symantec
• ZeroDay Initiative
• Metasploit
• D2 Security's Elliot
• Contagio
• Recorded Future
• Avast
• ESET
• Trend Micro
• Kenna Security
• Fortiguard Labs
• SANS Internet Storm Centre
• Securewords CTU
• Reversing Labs
• Tenable
• Skybox

Other sources

• Twitter
• Reddit
• Darkweb

Contributing

Data-driven vulnerability assessment is growing very fast, so the authors of the paper cannot keep track of all the on-going research in the field. Thus, we always welcome the contributions from the community to keep this list up-to-date. Specifically, we welcome contributions in terms of new papers, new datasets and new tasks in this field. Please first refer to the contribution guidelines before making a contribution. Thank you.

In case you have any questions, please contact us via email.

Citation

If you use the materials in this repository for your research or your work, please cite the paper:

@article{le2022survey,
   author = {Le, Triet H. M. and Chen, Huaming and Babar, M. Ali},
   title = {A Survey on Data-Driven Software Vulnerability Assessment and Prioritization},
   year = {2022},
   publisher = {Association for Computing Machinery},
   address = {New York, NY, USA},
   issn = {0360-0300},
   url = {https://doi.org/10.1145/3529757},
   doi = {10.1145/3529757},
   journal = {ACM Comput. Surv.},
   month = {mar},
}