CVSS (Common Vulnerability Scoring System)

The Common Vulnerability Scoring System (CVSS) is an industry-standard framework maintained by the Forum of Incident Response and Security Teams (FIRST) for assessing the severity of computer system security vulnerabilities. CVSS assigns a numerical score from 0.0 to 10.0, with higher scores indicating greater severity. Scores are classified into qualitative categories: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0).

CVSS scores are composed of three metric groups. The Base Score reflects the intrinsic characteristics of a vulnerability that remain constant over time, including the attack vector, attack complexity, privileges required, and impact on confidentiality, integrity, and availability. The Temporal Score adjusts the base score based on factors that change over time, such as the availability of exploits or official patches. The Environmental Score allows organizations to customize the severity based on their specific infrastructure and business context.

The current version, CVSS v4.0, introduced significant improvements over v3.1, including additional granularity in scoring metrics, better representation of the attacker's perspective, and new supplemental metrics that provide additional context about a vulnerability without affecting the score.

Organizations widely use CVSS scores to prioritize vulnerability remediation. Security teams often set thresholds, such as remediating all Critical and High vulnerabilities within a defined timeframe. CVSS scores appear in CVE entries, vulnerability scanner reports, and vendor security advisories, making them an essential communication tool in vulnerability management workflows.