My Software has a Vulnerability, should I worry?

Vulnerability studies usually rely on the NVD or `proof-of-concept' exploits databases (Exploit-db, or OSVDB), while the individual vulnerability risk is measured by its CVSS score. A key issue is whether reported and evaluated vulnerabilities have been \emph{actually exploited in the wild}, and whether the risk score matches the risk of actual exploitation. We compare the NVD dataset with two additional datasets, the EDB for the white market of vulnerabilities, and the EKITS for the exploits traded in the black market. We benchmark them against Symantec's threat explorer dataset (SYM) of actual exploit in the wild. We analyse the whole spectrum of CVSS submetrics and use these characteristics to perform a case-controlled analysis of CVSS scores to test its reliability as a risk factor for actual exploitation. We conclude that EDB and NVD are the wrong baseline for studies that target real exploits, (b) the CVSS score presents high sensitivity (ruling in vulnerabilities for which we should worry) only for vulnerability traded in the black market, (c) we miss a metric with high specificity (ruling out vulnerabilities for which we shouldn't worry).