Sarcouncil Journal of Engineering and Computer Sciences

Abstract: There has been an expansion in the use of an open-source software (OSS) that has raised security risks of undiscovered threats and the possibility of the exploitation. The traditional scoring methods like the Common Vulnerability Scoring System (CVSS) offer a fixed severity rating but do not offer the dynamism of the risk of actual exploitation. The article gives a predictive exploitability scoring model, which relies on AI and incorporates textual, structural, and temporal vulnerability characteristics of the open-source components. Deep neural networks make the basis of this model to acquire training of an ensemble of estimating the probability of exploits of multi-modal data. In accordance with the results of the experiment, the predictive accuracy, calibration and interpretability is much greater than the predictive accuracy of a baseline scoring system. The results indicate that the traits of semantic text embedding and software dependency graph are the most crucial ones that provide exploitability. The study has merit to the development of the vulnerability management practice because it offers data-derived insights in prioritizing risks when operating in an open-source ecosystem that will lead to a better reactionary, proactive, and context-based defensive practice.