Abstract: The criticality of software vulnerability is the measurement of the potential risk of which the software vulner-ability may be taken advantage for attacking the system. Based on analysis of current evaluation methods and their limitation, an analysis framework for evaluating the citicality of software vulnerability was proposed, according to the impact severity and probability of vulnerability. Based on fuzzy theory, the quantification model for evaluating the criticality of software vulnerability was proposed and the hierarchy of fuzzy evaluation factors’relationship and membership was established. The fuzzy set based indices quantification, the fuzzy relational matrix-based indices weight value and the general evaluation method for software vulnerability criticality were emphasized. At last, the application and implement of the evaluating model were given.

Key words: Software vulnerability, Impact, Criticality, Evaluation, Fuzzy theory