Skip to content Skip to navigation Skip to footer
CVSS Definition
CVSS Metrics
Limitations
CVSS Scoring
FAQs

What Is Common Vulnerability Scoring System (CVSS)?

Common vulnerabilities and exposures (CVE) is a list or glossary of publicly known security flaws. It assesses vulnerabilities and scores them using the common vulnerability scoring system (CVSS). Cybersecurity professionals use this information to determine how dangerous vulnerabilities are.

Managed by the MITRE Corporation, the CVE glossary project is devoted to monitoring and recording flaws in information security. The U.S. Department of Homeland Security (DHS) provides funds to maintain it. 

History of CVSS

The need for a standardized approach to assess IT security risks gave rise to the common vulnerability scoring system (CVSS). It was introduced in 2005 by the U.S. National Infrastructure Advisory Council (NIAC). However, CVSS began as a research project by the NIAC in 2003. The key goal was to streamline how organizations measure and communicate the severity of vulnerabilities across systems and various environments.

Responsibility for the framework’s development and oversight now lies with FIRST (Forum of Incident Response and Security Teams). In support of ongoing evolution, FIRST coordinates the CVSS Special Interest Group (SIG), a collective of cybersecurity professionals and organizations. The SIG has been vital in shaping the framework through continuous research, testing, and refinement. It ensures CVSS remains relevant to real-world threat conditions.

Here are the CVSS Versions with their year of release.

  • CVSS v2: This version was released in 2007 and helped reduce inconsistencies, offered more granularity, and delivered better accuracy in representing IT vulnerabilities across diverse system types.

  • CVSS v3.0: Launched in June 2015, it introduced updates to reflect real-world vulnerability conditions. It included factors such as the level of privileges required to exploit a flaw and the extent of access gained by attackers upon successful exploitation.

  • CVSS v3.1: Released in June 2019, its goal was to refine the existing framework. It did not alter any core metrics or formulas but improved the overall usability and consistency of the standard.

  • CVSS v4.0: This is the latest version that became available on November 1, 2023. This version brought several enhancements, including granularity in base metrics, streamlining threat metrics with more impactful scoring, and supplemental attributes to help vulnerability response. Most importantly, it provided broader applicability to operational technology (OT), industrial control systems (ICS), and Internet of Things (IoT) environments.

How Does CVSS Work?

An overall CVSS score is calculated using the following:

  1. Base CVSS score: This is determined by the actual vulnerability—specifically how threat actors can exploit the vulnerability and the kind of damage they can inflict after gaining access to a system.
  2. Environmental CVSS score: The environmental CVSS score focuses on the assets the vulnerability exposes to attack. It quantifies the confidentiality, integrity, and availability of the asset, specifically how these factors make it easy to exploit the vulnerability.

What Is Common Vulnerability Scoring System: Three Metrics Of CVSS

CVSS uses three primary metrics to score vulnerabilities: base metrics, temporal metrics, and environmental metrics. Metrics are different from scores in that they are the elements CVSS uses to determine the scores.

1. Base metrics

These metrics focus on how exploitable the vulnerability is and its impact.

Exploitability

The exploitability element of the vulnerability takes into account:

  1. The attack vector that can be used to exploit the vulnerability
  2. The complexity of the attack that can exploit the vulnerability (i.e., how difficult it is to pull off the attack)
  3. The privileges required to access and exploit the vulnerability
  4. User interaction (i.e., how often the user must interact with tools the attacker uses or the system itself for the attack to be successful)

The number of times attackers have to authenticate as they attempt to gain access to a system using the vulnerability

2. Temporal metrics

The temporal metrics value varies over the life span of the vulnerability, which sets it apart from other CVSS metrics. This is because of exploits being created, published, and automated, as well as the availability of mitigation solutions. Because these factors change over time, temporal metrics are designed to adjust accordingly.

  1. Exploitability: In the context of temporal metrics, this describes the present state of the automated exploitation code or techniques that attackers leverage to take advantage of a vulnerability.
  2. Remediation level: This refers to the number of fixes and solutions available to reduce the number of vulnerabilities.
  3. Report confidence: This term describes the likelihood that a vulnerability actually exists, as well as the accuracy of the technical information about the vulnerability.

3. Environmental metrics

The environmental metrics evaluate the seriousness of the impact of a vulnerability.

  1. Collateral damage potential: This measures the potential loss or impact on physical assets, such as tools, hardware, and users—or the financial consequences if the vulnerability is exploited.
  2. Target distribution: This metric calculates the percentage of weak systems the vulnerability can exploit.
  3. Impact subscore modifier: This measures how important it is to maintain the confidentiality, integrity, and availability of the assets the vulnerability can compromise.

Why Organizations Need To Adopt CVSS For Effective Vulnerability Management

Here are the key benefits of CVSS that make it clear why organizations should adopt it for effective vulnerability management.

  • Standardized scoring: CVSS replaces inconsistent, vendor-specific scoring methods. It offers a universal and structured system that helps IT teams prioritize vulnerabilities based on severity.

  • Transparent methodology: The open framework discloses all scoring parameters, offering clarity into how scores are derived. This enables consistent decision-making.

  • Supports development security: Developers can use CVSS scores to identify high-risk vulnerabilities early in the software development lifecycle.

  • Regulatory alignment: CVSS supports compliance efforts, such as PCI DSS, which considers unpatched vulnerabilities with scores above four as compliance risks.

  • Improved communication: CVSS promotes a common language for security teams, enabling more efficient and aligned discussions around vulnerability risks and response planning.

  • Prioritization tool: It helps organizations determine which vulnerabilities to remediate, mitigate, or accept based on severity and business impact.

  • Complement to risk assessments: While CVSS is valuable, it should be used with broader risk analysis for a complete security posture, as advised by FIRST.org.

Limitations Of The CVSS Framework

CVSS base scores only represent the severity of a vulnerability. They do not take into account the risk that severity brings to your specific environment or provide an accurate cyber-risk score. As such, it is impossible to prioritize vulnerability remediation effectively. In other words, some vulnerabilities may be extremely concerning overall, but they may not endanger your specific environment at all.

Base CVSS scores can be accessed through several publicly available databases. As a result, most security teams look through these databases first when prioritizing and patching vulnerabilities. However, relying on these base scores in a vacuum is a serious mistake. They do not account for the impact of real-world exploits or consider the availability of attack-mitigation solutions that can render the vulnerability relatively harmless.

Without this supporting information, a vulnerability management team may focus their time and effort on noncritical vulnerabilities instead of dedicating resources toward addressing vulnerabilities that pose the greatest risk to business-critical assets.

What Is CVSS Score And How Is It Calculated?

What is CVSS in cybersecurity? The CVSS score can be used to determine the threat level associated with each vulnerability—and thus, which vulnerability to prioritize. This means software developers, testers, security experts, and IT professionals all have a standardized procedure for evaluating vulnerabilities, thanks to CVSS.

How is CVSS score calculated? Several score subgroups are combined to get the CVSS score. Only the base score components are required to classify a vulnerability within the CVSS system. For a more accurate assessment, CVSS scores should also include environmental and temporal metrics.

The overall CVSS score also takes into account an impact subscore, an exploitability subscore, and a scope subscore. These three criteria evaluate the importance of the damaged data and systems, the attack's impact on systems that may appear to be unaffected, and the overall extent of the attack.

Evaluating CVSS scores helps you identify and mitigate security risks effectively. Understand CVSS scores to strengthen your security posture.

How to leverage CVSS scores to improve business security?

A CVSS score offers one straightforward value that summarizes the effect of a single computer security flaw. But when using CVSS for incident response and vulnerability remediation, contextual considerations must also be factored in.

Keep in mind that CVSS does not consider details of an organization's IT environment, which can influence the effect and severity of a vulnerability. This makes it difficult to examine what each score means, especially when taken out of context. For instance, a “critical” severity vulnerability on a less significant system may be less important than a “medium” severity vulnerability on a more business-critical system.

But if you are aware of the existence of vulnerabilities, you can take further steps, such as performing a vulnerability assessment or penetration test. In this way, each vulnerability's CVSS score can raise awareness and motivate cyber-defense teams to action.

CVSS vs CVE

CVSS is not a vulnerability classification system. This makes it different from CVE, which is a list of all the vulnerabilities mentioned in the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD).

In other words, while CVE identifies each vulnerability and provides a means of distinguishing one vulnerability from the next, CVSS gives IT teams a means of ranking the severity of each vulnerability. As a result, IT teams can use CVE to differentiate between vulnerabilities and then CVSS to rank them according to which ones can have the most impact on a network environment.

Securing The Future: Implementing CVSS To Drive Better Security Outcomes

Organizations face growing pressure to manage vulnerabilities across increasingly complex IT environments. CVSS helps them by offering a standardized method to score and prioritize vulnerabilities based on severity. Its open framework allows for transparency, enabling IT teams to make accurate decisions. Besides, developers can identify and address critical issues early in the software development process.

Most importantly, CVSS supports compliance requirements like PCI DSS and improves communication. This approach helps teams decide whether to remediate, mitigate, or accept specific flaws. 

Fortinet’s Dynamic Application Security Testing (DAST) solution strengthens this process by identifying runtime application vulnerabilities in real-time. It enables security, DevOps, and development teams to automatically conduct black-box testing on web applications. Besides, DAST identifies potential vulnerabilities that attackers could exploit, ranks them based on CVSS-driven threat scores, and offers clear remediation steps to help teams resolve issues efficiently and stay compliant.

Lack of efficient CVE remediation can lead to severe data breaches and prolonged exposure. Automate vulnerability testing with FortiDAST.

Common Vulnerability Scoring System FAQs

What is the common vulnerability scoring system (CVSS)?

The common vulnerability scoring system (CVSS) is used in line with the common vulnerabilities and exposures (CVE), which is a glossary that categorizes vulnerabilities. CVSS scores vulnerabilities according to a set of criteria, assigning each vulnerability a numerical value that represents how severe it is. This data is used by cybersecurity professionals to determine how dangerous vulnerabilities are.

Why should organizations conduct vulnerability assessments?

Organizations need to look beyond a one-time vulnerability assessment, as vulnerabilities evolve and new threats emerge regularly. A single assessment may fail to reflect these ongoing and dynamic changes.

Is CVSS a threat model?

CVSS is not a threat model. It is a scoring system designed to measure the severity of vulnerabilities. It does not offer a complete analysis of threats or how they interact with those vulnerabilities.

What is a 9.8 CVSS score?

A CVSS score of 9.8 shows a critical vulnerability. It means high impact and severe exploitability. This score is possible only if the scope stays unchanged because a scope change gives 10.0.

What is CVSS severity?

CVSS severity reflects how dangerous a vulnerability is, based on its score. It ranges from low to critical and helps security teams prioritize fixes based on potential risk.

Cybersecurity Resources

Quick Links

Speak with an Expert

Please fill out the form and a knowledgeable representative will get in touch with you soon.

Also of Interest: