The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the severity of software vulnerabilities. It produces a numerical score from 0.0 to 10.0, where higher scores indicate greater severity. CVSS provides a standardized way to assess and compare vulnerabilities, helping organizations prioritize which issues to fix first based on their potential impact.
How It Works
CVSS scores are calculated using three metric groups. The Base Score captures the intrinsic characteristics of the vulnerability that remain constant over time: how the vulnerability is exploited (attack vector, complexity, privileges required, user interaction needed) and what impact a successful exploit has on confidentiality, integrity, and availability.
The Temporal Score adjusts the base score based on factors that change over time, such as whether a working exploit exists in the wild, whether an official patch is available, and the confidence level in the vulnerability report. As patches are released and exploit code matures, the temporal score may change.
The Environmental Score allows organizations to customize the score based on their specific context. A vulnerability in a system that handles sensitive financial data might warrant a higher environmental score than the same vulnerability in an internal documentation server. These adjustments help organizations align generic severity ratings with their actual business risk.
CVSS severity ratings map scores to qualitative categories: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0). Most organizations use these categories to set remediation timelines. For example, critical vulnerabilities might require patching within 24 hours, while low-severity findings might be scheduled for the next maintenance window.
Why It Matters
CVSS provides a common language for vulnerability severity that transcends individual organizations and vendors. Security assessment reports use CVSS scores to communicate the relative urgency of findings, enabling stakeholders to make informed decisions about resource allocation. Understanding how CVSS metrics are calculated helps teams evaluate whether a score accurately reflects the risk to their specific environment.
Need your application tested? Get in touch.