On the Inconsistency of Update-Related Vulnerabilities
摘要
Update-related vulnerabilities represent a rising security concern. These vulnerabilities are introduced or exposed during software and firmware deployments, yet the consistency with which they are documented across public databases and vendor advisories remains underexplored. In this paper, we examine eight years of entries from a major public vulnerability repository alongside their corresponding vendor advisories, focusing on divergences in key metrics such as exploitability scores, severity ratings, and impacts on confidentiality, integrity, and availability. Our analysis reveals observable misalignments in how these core attributes are reported, as well as inconsistent categorizations of underlying weaknesses that may mislead organizations about the true root causes. Such inconsistencies undermine the reliability of risk assessments, may influence the prioritization of mitigation efforts, and can lead security teams to misallocate resources when addressing or considering recommendations for update-related vulnerabilities.