Glossary
CVSS (Common Vulnerability Scoring System)
A standardized scoring system that rates the severity of software vulnerabilities on a scale of 0-10, used for prioritization.
Definition
CVSS (Common Vulnerability Scoring System) is a standardized method for rating the severity of software vulnerabilities, with scores ranging from 0.0 (lowest) to 10.0 (highest).
CVSS is widely used in vulnerability management to prioritize patching efforts.
CVSS Ratings
- 0.0 – No vulnerability
- 0.1-3.9 – Low
- 4.0-6.9 – Medium
- 7.0-8.9 – High
- 9.0-10.0 – Critical
CVSS Calculation
CVSS score is based on multiple factors:
Base Metrics (unchanged over time)
- Attack Vector – Network, Local, Physical, Adjacent
- Attack Complexity – Low, High
- Privileges Required – None, Low, High
- User Interaction – None, Required
- Scope – Unchanged, Changed
- Confidentiality – None, Low, High
- Integrity – None, Low, High
- Availability – None, Low, High
Temporal Metrics (change over time)
- Exploit Maturity – Unproven, Proof-of-concept, Functional, High, Functional
- Remediation Level – Unavailable, Workaround, Temporary Fix, Official Fix, Unavailable
- Report Confidence – Unknown, Reasonable, Confirmed
Environmental Metrics (specific to organization)
- Confidentiality Requirement – Low, Medium, High
- Integrity Requirement – Low, Medium, High
- Availability Requirement – Low, Medium, High
CVSS Limitations
CVSS rates technical severity but doesn’t consider:
- Whether the vulnerability is actually being exploited
- Business impact of compromise
- Asset criticality
- Threat actor interest in the vulnerability
A critical CVSS 10 vulnerability in niche software may be less urgent than a medium CVSS 6 vulnerability in widely used software that’s actively exploited.