The Common Vulnerability Scoring System (CVSS) is a framework used to rate the severity and characteristics of security vulnerabilities in information systems. It assigns a numerical score ranging from 0 to 10, with 10 being the most severe. CVSS is vendor-neutral and allows organizations to score vulnerabilities across different software products using the same framework. It is maintained by the Forum of Incident Response and Security Teams (FIRST), a nonprofit organization with over 500 members.
CVSS is commonly used by IT managers and information security teams as part of a vulnerability management program to compare vulnerabilities and prioritize remediation. It is also utilized by application vendors and security vendors to prioritize security tests and remove known vulnerabilities during development. Many organizations, industries, and government groups, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, have adopted CVSS. Vendors such as Cisco, Oracle, Qualsys, and SAP generate CVSS scores to communicate the severity of vulnerabilities in their products. CVSS can be implemented by organizations to prioritize responses within their environments.
Organizations adopt CVSS because it provides a standardized and transparent framework for scoring vulnerabilities. It allows everyone to understand how the scores are calculated and enables security teams to assess the impact of vulnerabilities on their systems. CVSS helps software developers prioritize security tests and ensure known vulnerabilities are addressed during development. It also assists organizations in meeting security requirements and promotes clear and consistent communication about vulnerabilities.
CVSS was introduced by the U.S. National Infrastructure Advisory Council in 2005 and is now owned and managed by FIRST. It has undergone several versions, with the latest being version 4.0. Each version has brought improvements and changes to more accurately reflect the severity and properties of vulnerabilities.
CVSS scores are calculated using three metric groups: Base, Temporal, and Environmental. The Base score is the most relied upon metric and consists of exploitability and impact metrics. The Temporal score measures aspects of the vulnerability that can change over time, such as the availability of patches. The Environmental score allows organizations to adjust the Base score to reflect their own environment and includes factors such as business criticality and mitigating controls.
CVSS scores range from 0 to 10, with higher scores indicating more severe vulnerabilities. CVSS scores are used in conjunction with the Common Vulnerabilities and Exposures (CVE) catalog, which provides a unique identifier for each vulnerability and includes CVSS scores to indicate severity. CVSS calculators are available to help organizations calculate Temporal and Environmental scores for their own environments.
While CVSS is valuable in standardizing vulnerability assessments, it has limitations. Scores can be subjective and fluctuate based on the context and environment being evaluated. CVSS also has a limited scope and may not fully consider factors such as asset importance and cybersecurity controls. It can be complex to understand and may lead to oversights if solely relied upon for vulnerability prioritization.