Helping CNAs Generate CVSS Scores Faster and More Confidently Using XAI

The number of cybersecurity vulnerabilities keeps growing every year. Each vulnerability must be reported to the MITRE Corporation and assessed by a Counting Number Authority, which generates a metrics vector that determines its severity score. This process can take up to several weeks, with higher-severity vulnerabilities taking more time. Several authors have successfully used Deep Learning to automate the score generation process and used explainable AI to build trust with the users. However, the explanations that were shown were surface label input saliency on binary classification. This is a limitation, as several metrics are multi-class and there is much more we can achieve with XAI than just visualizing saliency. In this work, we look for actionable actions CNAs can take using XAI. We achieve state-of-the-art results using an interpretable XGBoost model, generate explanations for multi-class labels using SHAP, and use the raw Shapley values to calculate cumulative word importance and generate IF rules that allow a more transparent look at how the model classified vulnerabilities. Finally, we made the code and dataset open-source for reproducibility.