The Common Vulnerability Scoring System (CVSS) is an industry-standard framework for rating the severity of security vulnerabilities using a numerical score from 0.0 to 10.0, where the higher scores are indicates more severe vulnerabilities.
Maintained by the Forum of Incident Response and Security Teams (FIRST), CVSS provides a standardised method for organisations to assess and prioritise vulnerabilities based on their characteristics rather than relying on subjective or inconsistent severity ratings. This system uses a formula that considers multiple factors to calculate scores, ensuring consistent severity ratings across different organisations and security tools.
CVSS version 4.0 (the current standard) evaluates vulnerabilities across several metric groups:
- Base metrics
- Supplemental metrics
- Threat metrics (previously known as temporal)
- Environmental metrics
The Base score focuses on capturing information for the exploitability and impact of the target system, but also includes subsequent systems for any downstream impact as a result of a successful attack.
The Threat metric group relates to how a threat may change over time, such as whether there is public exploit or proof of concept code available. This was previously knownas the “Temporal” metric group in prior versions of CVSS (such as CVSS v3.1).
The Environmental metric group refers to the unique relation to an individual organisation’s environment (e.g. a specific implementation of their infrastructure or application stack). This can include mitigating factors that may reduce the overall risk of a vulnerability.
The Supplemental metric group providers the consumer of the CVSS rating to apply local changes to the metrics/values. This does not change the resulting CVSS score (i.e. CVSS-BTE), but provides the opportunity for additional context when analysing vulnerabilities with CVSS 4.0 ratings.
Organisations can use CVSS scores to prioritise remediation efforts, focusing limited security resources on vulnerabilities that are most likely to be exploited and cause significant impact.