CVSS

What is CVSS?

CVSS (Common Vulnerability Scoring System) is an open standard developed by FIRST (Forum of Incident Response and Security Teams) for assessing the severity of security vulnerabilities. The system assigns each vulnerability a numerical score on a scale from 0.0 to 10.0, where 10.0 indicates the highest threat level.

A CVSS score consists of three metric groups. Base metrics describe the constant characteristics of a vulnerability - attack vector (network, local), attack complexity, required privileges and impact on confidentiality, integrity and availability. Temporal metrics account for factors that change over time - exploit availability, patch availability. Environmental metrics allow the score to be adjusted to the context of a specific organisation.

The current version of the standard is CVSS v4.0, published in 2023. It introduces additional metric groups and more precise differentiation of impact on the vulnerable system and dependent systems. CVSS is widely used by vulnerability databases (NVD, CVE), software vendors and vulnerability scanners.

Why does it matter?

CVSS provides a common reference point for comparing the severity of different vulnerabilities. However, the CVSS score alone is not sufficient for prioritising remediation - a vulnerability scored 9.8 in a test system may be less urgent than a vulnerability scored 7.5 in a production system exposed to the internet.

Modern approaches to vulnerability management, such as SSVC (Stakeholder-Specific Vulnerability Categorization) or EPSS (Exploit Prediction Scoring System), supplement CVSS with organisational context and active exploitation data. CVSS remains, however, the foundation on which more advanced prioritisation methods are built.

Related topics

• Vulnerability management
• Penetration testing
• IEC 62443