Severity Prediction of Software Vulnerabilities based on their Text Description

Software vulnerabilities represent a real challenge nowadays, often resulting in disruption of vital systems and data loss. Due to the multitude of software applications used within a company, system administrators often end up in the situation of facing multiple vulnerabilities at the same time, having no choice but to prioritize the most critical ones. Administrators commonly use vulnerability databases and metric systems to rank vulnerabilities; however, it usually takes from days to weeks for the metrics to be published since these metrics are established by human security analysts and the number of daily discovered exploits is constantly increasing. Therefore, newly discovered vulnerabilities, especially those without an available patch, represent the largest problem. In this paper, we propose a deep learning approach to predict the severity score and other metrics of a vulnerability using only its text description, which is available on discovery. We use a Multi-Task Learning architecture with a pre-trained BERT model for computing vector-space representations of words. Our best configuration achieves a mean absolute error of 0.86 for the severity score and an accuracy of 71.55% for the severity level.