Calculating CVSS Scores with ChatGPT, (Tue, Apr 25th)

This post was originally published on this site

Everybody appears to be set to use ChatGPT for evil. After all, what is the fun in making the world a better place if, instead, you can make fun of a poor large large-scale language model whose developers only hinted at what it could mean to be good?

Having not given up on machines finally taking over to beat the "humane" into "humanity," I recently looked at some ways to use ChatGPT more defensively.

An issue I have been struggling with is vendors like Apple providing very terse and unstructured vulnerability summaries. You may have seen my attempt to create a more structured version of them and to assign severities to these vulnerabilities. Given that there are often dozens of vulnerabilities and limitations of my human form, the severity I assign is more of a "best guess." So I figured I would try to automate this with ChatGPT, and the initial results are not bad. 

For example, let's take the last Apple vulnerability, CVE-2023-28206. This was an already exploited ("0-Day") privilege escalation vulnerability. 

Chat GPT delivers the following analysis:

Given the limited information, I think a score of 8.8, and the analysis, isn't bad. Personally, I would have rated it probably a bit lower.

I will probably add this to my Apple vulnerability parser and use this the next time Apple releases an update 🙂



Johannes B. Ullrich, Ph.D. , Dean of Research,


(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.