Common Vulnerability Scoring System (CVSS)

What is the Common Vulnerability Scoring System?

The Common Vulnerability Scoring System (CVSS) is a public framework for rating the severity of security vulnerabilities in software. It is application and vendor neutral, enabling an organization to score its IT vulnerabilities across a wide range of software products -- from operating systems and databases to web applications -- using the same scoring framework.

Benefits of CVSS

Historically, vendors used their own methods for scoring software vulnerabilities, often without detailing how their scores were calculated. This created a conundrum for system admins: should they fix a vulnerability with a severity of "high" first, or one with a rating of 5?

To address this problem, the US National Infrastructure Assurance Council (NIAC) developed CVSS to simplify the generation of consistent scores that could accurately reflect the severity and impact of vulnerabilities to a specific IT environment.

As CVSS is an open framework, organizations have full access to the parameters used to generate scores, enabling everyone to have a clear understanding of the rationale and differences behind any vulnerability scores. This makes it easier for security teams to gauge the impact of the vulnerabilities on their systems and prioritize which vulnerabilities to fix first.

Software developers can also use CVSS scores to prioritize security tests and ensure known, serious vulnerabilities are removed or mitigated during development.

Finally, CVSS can help organizations meet the security requirements of various standards. For example, the presence of unpatched vulnerabilities with a CVSS score of 4.0 or higher has an adverse impact on PCI compliance.

CVSS adoption

CVSS has seen wide adoption, including by government groups such as the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.

On the vendor side, organizations such as Cisco, Qualys, Oracle and SAP generate CVSS scores to communicate the severity of vulnerabilities found in their products.

History of CVSS

NIAC first introduced CVSS in 2005, but the international Forum for Incident Response and Security Teams (FIRST) now owns and manages it.

FIRST sponsors and supports the CVSS Special Interest Group (SIG), which is made up of various organizations and individuals who help promote and refine the framework.

CVSS SIG provided most of the research and feedback on the initial design of CVSS and helped test and refine the formulas used in later versions.

CVSS versions

CVSS v2 was released in 2007 and was seen as a significant improvement over the original version. It had fewer inconsistencies, provided additional granularity and more accurately reflected the true properties of IT vulnerabilities despite the wide variety of vulnerability types.

CVSS 3.0, released in June 2015, introduced scoring changes that more accurately reflected the reality of vulnerabilities encountered in the wild, such as the privileges required to exploit a vulnerability and the opportunities it gives an attacker who successfully uses it.

The most recent version is 3.1, released in June 2019.

Vulnerability metrics

A CVSS score is derived from scores in the following three metrics groups:

1. Base
2. Temporal
3. Environmental

Together, these groups cover the different characteristics of a vulnerability, including its impact and environmental endurance over time.

The Base group is made up of six categories, the Temporal group of three values, and the Environmental group of five categories.

Base metrics

The Base score is the metric enterprises rely upon most. IT deals with the inherent characteristics of a vulnerability -- that is, the ones that don't change over time or due to a user's environment, such as the degree to which a vulnerability could compromise the confidentiality, integrity or availability of the system. It is made up of two sets of metrics.

First are the Exploitability metrics, which include the following:

• Attack vector
• Attack complexity
• Privileges required
• User interaction

Second are the Impact metrics, which include the following:

• Confidentiality impact
• Integrity impact
• Availability impact

Temporal metrics

The Temporal score measures aspects of the vulnerability according to its current status as a known vulnerability. It represents properties of a vulnerability that can change over time, such as the release of an official patch.

Temporal scoring also includes the Report Confidence metric, which measures the following:

• the degree of confidence in the existence of the vulnerability; and
• the credibility of the known technical details demonstrating that a vulnerability is both real and exploitable.

These metrics can decrease or increase the base score -- for example, if a patch or workaround becomes available, or the vulnerability is validated by the vendor.

The complete list of Temporal values is the following:

• Exploit code maturity
• Remediation level
• Report confidence

Environmental metrics

The CVSS system's Environmental metrics let an organization refine the Base score to reflect its own environment by measuring the severity of the vulnerability adjusted for its impact on individual systems.

Environmental metrics provide real context for vulnerabilities within an organization by considering the following factors:

• business criticality of the asset;
• identification of mitigating controls; and
• use of the asset in question.

The full list of Environmental metric categories includes the following:

• Collateral damage potential
• Target distribution
• Confidentiality requirement
• Integrity requirement
• Availability requirement

How scoring works

A CVSS score can be between 0.0 and 10.0, with 10.0 being the most severe. To help convey CVSS scores to less technical stakeholders, FIRST maps CVSS scores to the following qualitative ratings:

• 0 = None
• 1 to 3.9 = Low
• 0 to 6.9 = Medium
• 0 to 8.9 = High
• 0 to 10.0 = Critical

The Base score is mandatory while the Temporal score is optional. Both are provided by the vendor or analyst. The Environmental Group score is calculated by the end user and is also optional.

The only requirement for categorizing a vulnerability with a CVSS score is the completion of the Base score components -- the Exploitability subscore, the Impact subscore and the Scope subscore. These scores are used to calculate the overall base score using a formula that weights each subscore.

The Temporal score is calculated by multiplying the Base score by the three metrics within the Temporal metric.

The Environmental score is a more complex calculation. The end user recomputes the Base and Temporal scores using the five Environmental metrics to give a more accurate evaluation of the severity of a vulnerability, in the context of the way that the vulnerable component is deployed.

CVSS vs. CVE

CVSS is not a vulnerability classification scheme like the Common Vulnerabilities and Exposures (CVE) system, which assigns each vulnerability a unique identifier, as listed in the National institute of Standards and Technology (NIST) National Vulnerability Database.

CVE identifiers are in the format CVE-[Four-Digit Year]-[Sequential Identifier]. For example, the CVE for the Heartbleed vulnerability is CVE-2014-0160.

CVE does, however, use CVSS to provide an indication of the severity of each CVE. For each CVE vulnerability, FIRST provides qualitative ratings based on the CVSS base score.

CVSS calculators

Publicly available CVSS scores are Base scores only, so they represent the severity of a vulnerability but not whether a vulnerability poses a risk to a specific IT environment. A CVSS calculator is necessary to calculate the Temporal and Environmental scores for an organization's own environment.

FIRST, NIST and Cisco provide free CVSS calculators.

Editor's note: This article was written by Madelyn Bacon in 2019. TechTarget editors revised it in 2023 to improve the reader experience.