skip to Main Content
This website use cookies which are necessary to its functioning and required to achieve the purposes illustrated in the privacy policy. To learn more or withdraw consent please click on Learn More. By continued use of this website you are consenting to our use of cookies.


Common Vulnerability Scoring System (CVSS)

CVSS (Common Vulnerability Scoring System) is an industry standard for assessing the severity of a security vulnerability. The characteristics of a vulnerability are assessed, and then a numerical score is produced, which weights the overall severity. This numerical score can then be assigned to a category or tranche such as low, medium, high and critical so that organizations can then prioritize their vulnerability management efforts.

The CVSS is a framework that is developed and maintained by FIRST. FIRST is the Forum of Incident Response Security Teams. FIRST, a North Carolina non-profit corporation, was founded in 1990. The founding organizations and individuals believed that cooperation on cybersecurity issues of high interest, such as vulnerabilities or major attacks, were of essential interest to security operations teams. Today FIRST reflects a joint initiative including security experts and teams from commercial enterprise, academic, and government institutions.

FIRST works to bring together incident response and security teams from every country across the world. Impactful security response is a global task benefiting from the support of many organizations. FIRST also helps bring a common taxonomy to security vulnerability assessment. This enables security operations teams to have a common and accurate understanding of an incident such that they can react quickly and efficiently.

It is important to note that the CVSS measures the severity of a vulnerability but should not be used alone to assess risk. A detailed assessment of risk generally requires a more comprehensive assessment and will include other factors beyond the scope of the CVSS. 


CVSS Groups

Today the CVSS consists of three groups. These are Base, Temporal, and Environmental. Base groups include the characteristics of a vulnerability that are generally constant across user environments and over time. The Temporal group focuses on the aspects of a vulnerability that change over time. The Environmental group reflects the characteristics of a vulnerability that are unique to a user environment. 

The Base metrics are composed of two sets of metrics. They are the Exploitability metrics and the Impact metrics. Exploitability metrics are designed to represent the technical means and ease with which a vulnerability can be exploited. Specifically, what are the characteristics of that which is vulnerable, which is the vulnerable component. Impact refers to the direct results of a successful exploit and is designed to represent the consequences to the component that suffers the impact, which is also called the impacted component.

The Temporal metric presents the characteristics of a vulnerability that may change over time but remain stable in user environments. The Environmental metric group presents the characteristics of a vulnerability that are specific to a particular user’s environment. 

Base metrics will generate a score from 0 to 10, and these are then modified by the additional scoring of the Temporal and Environmental metrics.  Scores are represented as a vector string, which is a compressed textual representation of the underlying values used to produce the score.

Attribution: This Figure 1 graphics is from the CVSS specification

Scoring brings the CVSS together. Security analysts generally assign the base scoring. The Base scoring is computed by deriving the Exploitability score and the Impact score. This Base score can then be further adjusted by the scores from the Temporal and Environmental metrics. 

Base Metrics includes many metrics which will be scored including Attack Vector (AV), Attack Complexity (AC), Privileges Required (PR), and User Interaction (UI). The Scope measurement defines whether a vulnerability in one of the vulnerable components impacts resources in components beyond its security scope. Impact metrics try to capture the results of a successfully exploited vulnerability on the component or control that suffers the worst outcome associated with the attack. 


NVD and the Common Vulnerability Scoring System

The National Vulnerability Database (NVC) provides CVSS scores for many known vulnerabilities. The NVD is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). The NVD data enables the automation of vulnerability management, security measurement, and related compliance. The NVD includes databases of security checklist references, security-related flaws, product names, misconfigurations, and impact metrics. 

The NVD supports both Common Vulnerability Scoring System (CVSS) v2.0 and v3.X standards. The NVD provides CVSS Base scores but does not provide Temporal scores or Environmental scores. 

In summary, the benefits of the CVSS scoring system are simple and highly compelling. The CVSS brings a common taxonomy to scoring and assessing vulnerabilities. This helps security teams identify risks that require action. These risks can be prioritized for action, including fixes, patches, mitigation by using compensation security controls, or more.

There are many online resources to support CVSS calculations and related decisions. They include:


Back To Top