Vulnerability Propagation Scoring System (VPSS)

Updated 21 October 2025

VPSS is a quantitative framework that models how vulnerabilities propagate across software ecosystems by integrating traditional severity metrics with dynamic contextual factors.
It employs mathematical models to calculate propagation breadth and depth, thereby enabling precise risk prioritization and remediation focus.
Empirical evaluations in supply chains and industrial systems validate VPSS by significantly narrowing remediation targets and aligning risk scores with real-world exploitability.

A Vulnerability Propagation Scoring System (VPSS) is a quantitative framework and methodology intended to assess, in a systematic and dynamic fashion, how software vulnerabilities propagate through complex technological ecosystems. Unlike traditional vulnerability scoring systems that focus on the intrinsic severity of an individual vulnerability, VPSS explicitly models the risk propagation pathways—across software supply chains, networks, or interdependent asset graphs—and quantifies both the scale and depth of potential impact. The VPSS concept emerges as a response to the limitations of widely used metrics such as the Common Vulnerability Scoring System (CVSS), which, while effective at local risk characterization, lacks mechanisms to express contextual, ecosystem-wide, or dynamic propagation effects (Ruan et al., 2 Jun 2025).

1. Conceptual Foundations and Rationale

VPSS addresses two fundamental shortcomings in prevailing vulnerability assessment practices: the inability of existing severity metrics to differentiate between widely propagated and isolated vulnerabilities, and the lack of dynamic, time-aware scores that reflect evolving ecosystem conditions. The need for VPSS is underscored by observations that, for example, applying rule-based patching policies aligned to high CVSS scores achieves only negligible risk reduction (3–4%), whereas targeting vulnerabilities known to propagate within exploit kits yields risk reduction on par with effective real-world mitigations (e.g., safety belts in cars achieve ~43% fatality reduction) (Allodi et al., 2013). This highlights the inadequacy of high-sensitivity yet low-specificity metrics because high scores often fail to correspond to actual exploitation in the wild or to distinguish benign from truly dangerous vulnerabilities.

VPSS is therefore conceptualized as an evolution of the traditional severity-only scoring regime, aiming to combine technical vulnerability factors (as codified in CVSS), market-based signals (such as exploit availability in public and black markets), real-world detection analytics (e.g., observed exploits), and the structural/topological characteristics of the affected software environment.

2. Mathematical Models and Aggregation Approaches

The computational core of a VPSS involves aggregating multiple dimensions of propagation through explicit mathematical models. In recent work targeting software supply chains (Ruan et al., 2 Jun 2025), VPSS is defined via two principal components:

Propagation Breadth Factor (PBF): Quantifies the fraction of the ecosystem directly and transitively impacted by a vulnerability, combining:
- Directly affected projects ( $P_{dir}$ ) and project-versions ( $PV_{dir}$ ) as ratios over ecosystem totals.
- Indirectly (transitively) affected projects ( $P_{trans}$ , $PV_{trans}$ ).
- The aggregation is weighted and amplified logarithmically:

$\text{PBF} = \ln\left(1 + \gamma \cdot (w_1 r_{p_\text{dir}} + w_2 r_{p_\text{trans}} + w_3 r_{pv_\text{dir}} + w_4 r_{pv_\text{trans}})\right)$

Propagation Depth Factor (PDF): Captures the maximal and average length of affected dependency chains, normalized:

$\text{PDF} = 1 + \frac{L_{\max} + L_{\text{avg}}}{2 L_{\text{norm}}}$

The raw VPSS score is then:

$\text{VPSS}_\text{raw} = \text{PBF} \times \text{PDF}$

To provide a normalized, interpretable risk score in the canonical (0–10) range, an exponential saturation is applied:

$\text{VPSS} = 10 \times (1 - \exp(-\text{VPSS}_\text{raw} / k))$

where $k$ is a hyperparameter controlling saturation.

Alternative approaches integrate context factors akin to those in risk propagation and aggregation models. For instance, adjustment multipliers for functionality relevance ( $\rho$ ), graph deepness ( $\beta$ ), deployment context ( $\gamma$ ), and exploit maturity ( $\mu$ ) are multiplied to the raw CVSS score per vulnerability as in:

$\lambda = \rho \cdot \beta \cdot \gamma \cdot \mu$

and then recursively aggregated to ensure total risk is appropriately bounded (Longueira-Romero et al., 2023).

3. Algorithmic Methods for Propagation Analysis

At the core of efficient VPSS implementation is the need to scale propagation analysis to large ecosystems. Hierarchical worklist-based algorithms have been developed to perform call-graph and ecosystem-wide propagation determination (Ruan et al., 2 Jun 2025). The salient features are:

Hierarchical Pruning: Coarse-grained (package-level) and fine-grained (function or call-graph level) pruning is used—first by version, then by actual code import, and finally by checking call-graph relationships—thereby dramatically reducing the search space.
Worklist Strategy: Projects or packages whose state may impact downstream nodes are iteratively processed and pruned unless new propagation evidence is found.
Handling of Cyclic Dependencies: Systems with shared or cyclic dependencies are handled by ensuring nodes are revisited only when their propagation state changes, guaranteeing eventual convergence.

Such frameworks enable the calculation of which projects and specific versions are actually vulnerable, as opposed to overestimating impact via mere transitive dependency enumeration.

4. Integration with Existing Scoring Systems and Contextualization

A central tenet in VPSS design is leveraging legacy severity scores (CVSS) while correcting for both system-specific and empirical context. This is achieved by adjusting base metrics using bespoke multipliers derived from:

Contextual factors: Functionality disruption, actual exploitability in the live context, existence and maturity of public exploits, and location in the system’s dependency or attack graph (Longueira-Romero et al., 2023).
Environmental topology and control measures: For industrial systems, modifying exploitability scores based on asset reachability and control presence (e.g., firewalls) through a mapping of CVSS metrics to asset-local equivalents (e.g., AV to MAV, AC to MAC) (Cheimonidis et al., 20 Mar 2024).
Temporal dynamics: VPSS is often computed over time snapshots, capturing the real-world evolution of risk as patches are adopted and the ecosystem changes (Ruan et al., 2 Jun 2025).

By integrating these corrections, VPSS moves beyond static, context-free assessment and achieves higher practical specificity—filtering non-exploitable issues and prioritizing only those with true propagation potential.

5. Empirical Evaluation and Case Studies

VPSS implementations have been validated in multiple contexts:

Supply Chain Ecosystems: In the Java Maven ecosystem (Ruan et al., 2 Jun 2025), the VPSS framework evaluated propagation paths for 100 real vulnerabilities, demonstrating high pruning efficiency (avg. 97.8% of projects and 99.2% of project-versions excluded from analysis), accurate ecosystem impact identification, and meaningful risk decline trends as mitigations propagated.
Industrial Control Systems: Adjusted scores reflecting environmental and control measures, attack path modeling, and fuzzy cognitive map aggregation yielded dynamic risk assessments aligning with real-world topologies (Cheimonidis et al., 20 Mar 2024).
Practical Prioritization Impact: VPSS-style context-adjusted scores can help organizations drastically narrow their remediation focus from tens of thousands of critical CVSS vulnerabilities to a tractable shortlist, commensurate with observed exploitation likelihood and propagation risk (Allodi et al., 2013, Longueira-Romero et al., 2023, Ruan et al., 2 Jun 2025).

6. Comparative Perspective and Relationship to Other Scoring Systems

Comparisons among scoring systems highlight several key points:

Traditional severity metrics like CVSS are high-sensitivity but low-specificity risk factors; they catch most exploited vulnerabilities but produce a surfeit of false positives, as exemplified by a 94% false positive rate for high/medium CVSS scores in NVD when checked against real-world exploitation (Allodi et al., 2013).
Context-aware and propagation-based scoring remedies this by introducing filtering factors, depth/breadth measures, and empirical signals (e.g., exploit kit presence, observed wild exploitation) (Longueira-Romero et al., 2023, Ruan et al., 2 Jun 2025).
VPSS as a metric complements existing tools, acting as an orthogonal signal further informed by supply chain and dependency graph analytics.

7. Limitations, Challenges, and Future Directions

Adoption of VPSS methodologies presents notable challenges:

Data and Model Fidelity: Accurately constructing dependency/call graphs at scale, maintaining up-to-date knowledge of exploit markets, automating extraction of functionality and exploit context.
Timeliness and Evolution: Ecosystem models must respond to real-time changes (e.g., new releases/patches, emerging exploits); thus, periodic re-evaluation is mandatory.
Standardization and Transparency: There is ongoing need for clear mathematical formulation, formal evaluation, and transparency regarding model parameters and corrections, as well as harmonization with legacy systems (Koscinski et al., 19 Aug 2025).

Future research is expected to refine the combination of graph-theoretic propagation models, machine learning for exploit trend prediction, empirical scoring, and economic considerations in patch prioritization. Increasing emphasis on precision (high specificity) will further focus resources on vulnerabilities most likely to propagate and cause systemically significant harm.

In sum, the Vulnerability Propagation Scoring System constitutes an integrated, dynamic, and context-enriched approach to quantifying vulnerability risk across interconnected software or hardware ecosystems. By mathematically aggregating impact scale, propagation depth, and real-world context, and by correcting traditional severity scores with practical environmental and exploitability factors, VPSS provides actionable, time-aware, and economically rational prioritization of security risks. This positions VPSS as a critical tool for contemporary vulnerability management, particularly in supply chain, cloud, and cyber-physical domains.