• Category
  • >Information Technology

An Introduction to Common Vulnerability Scoring System (CVSS)

  • Yamini
  • Dec 24, 2021
An Introduction to Common Vulnerability Scoring System (CVSS) title banner

Common Vulnerability Scoring System


Common Vulnerability Scoring System is an open framework that helps in rating accurately the severity and risks associated with computer/ cloud security while using a particular software.


It encompasses a wide range of software products right from operating systems to all the large volumes of databases and web applications.


The same scoring framework is used to score the IT vulnerabilities of an organization spread across a multitude of products as explained by First.


Need To Adopt the CVSS


Traditionally vendors have been making use of their tools and solutions for detecting and scoring software vulnerabilities. The major trouble back then was that there were no exact methods and parameters for determining the vulnerability score. System admins were, as you can rightly suppose,  in a huge fix as to which vulnerability should they prioritize. 


Thanks to NIAC, who developed the Common Vulnerability Scoring System which is acting as a breakthrough technology and making the entire framework of scoring software vulnerabilities a lot easier. 


This innovation helped in precisely reflecting the severity and the potential effects of vulnerabilities to any Information Technology environment. The major advantage that Common Vulnerability Scoring System offers is complete access to the different criteria for scoring vulnerabilities. 


This enables system admins to get a better understanding of the significant variations in scores of various software systems regarding vulnerability. IT security professionals and teams can get a more clear picture of the existing vulnerabilities on the system.


They can then plan a better framework and plan regarding putting the software systems according to their priority. They can easily decide on fixing the most severe vulnerability to better suit their interests and requirements. Those vulnerabilities and issues that are un-patched and have a common vulnerability scoring system score of 4 or higher, need to be fixed on a priority basis.


Several successful organizations are using this common vulnerability scoring system namely Cisco, Qualys, Oracle, and SAP utilize CVSS scores to identify and communicate the severity of vulnerabilities in their wide range of software products. 


Common Vulnerability Scoring System also enables software developers to use CVSS scores for prioritizing security tests. This ensures that all the present and severe vulnerabilities can easily be eliminated during the process of development itself. 


(Must Read: Attack Surface Management)


Evolution of Common Vulnerability Scoring System


It was introduced by NIAC in 2005, but is now owned and run by the International Forum for Incident Response and Security Teams (FIRST).  FIRST also sponsors the Common Vulnerability Scoring System- Special Interest Group (CVSS-SIG) that includes several organizations. This association collaborates to redefine the entire framework of scoring software vulnerabilities. 


The initial design of the Common Vulnerability Scoring System was supported by the extensive research and valuable feedback provided by the Common Vulnerability Scoring System-Special Interest Group (CVSS-SIG).


All the formulas that appeared in the later versions were tested and refined by the Common Vulnerability Scoring System-Special Interest Group (CVSS-SIG). The second version of Common Vulnerability Scoring System or CVSS V2 was released in 2007 that was undoubtedly a very crucial advancement as compared to the original version.


It worked towards drastically reducing inconsistencies and providing extensive support. Though software vulnerabilities vary to a great extent, CVSS v2 revolutionized the way system admins used to look at the properties of IT vulnerabilities. It was a milestone in reflecting the true and accurate properties of IT vulnerabilities. (Source


In June 2015, CVSS 3.0 arrived on the scene to reflect surprising changes and transformations. It was also unique in the way that it accurately demonstrated the entire scope of vulnerabilities that are normally encountered by a software developer. In June 2019, we witnessed the most recent version of CVSS as CVSS 3.1. 


(Also Check: Security Analytics


How does the CVSS scoring work?


Usually, CVSS scoring operates on a scale of 0 to 10. A vulnerability that ranks as 10 is the most severe and needs to be fixed at the earliest.


FIRST has determined the qualitative ratings regarding CVSS scores as mentioned below :


0= none 

0.1-3.9 = Low

4.0-6.9 = Medium

7.0-8.9 = High

9.0 - 10.0 = Critical


Metric Groups involved in CVSS


The following metric groups constitute the open framework of CVSS;


  1. Base metrics 


Usually, enterprises mostly depend on the base score metric as it extensively encounters the most critical features of a vulnerability.

Those characteristics do not change over time or threaten the confidentiality and data security of the system owing to a user's environment. There are two distinct metrics involved in the base score metric as detailed below:


  • The Exploitability metrics: This set of metrics covers the following elements:


  • Attack vector

  • Attack complexity

  • Privileges required

  • User interaction


  • The impact metrics: This metric includes the elements mentioned below:


  • Confidentiality impact

  • Integrity impact

  • Availability impact



  1. Temporal Metrics 


The temporal score metric represents the aspects of a vulnerability that change over time and are present in the current status as a known vulnerability. The release of an official patch can be measured by temporal score.


It usually consists of three metrics:


  • Exploit code maturity: The available techniques or codes that can aid in exploiting the vulnerability, changing over time.

  • Remediation Level: The availability of remediation level for a vulnerability.

  • Report Confidence: The confidence level is related to the acknowledgment of the presence of the vulnerability and the credibility of its technical know-how.



  1. The Environmental metrics 


These metrics are highly useful as they provide the real context for vulnerabilities within an organization. By utilizing these metrics, an organization can easily refine the base score to its environment.  


It proves to be an enormous help in accurately measuring the severity of the vulnerability. This greatly helps in considering the business criticality of the asset, identification of mitigating controls, and use of the asset to be considered.


The environmental metric score is constituted by the following metric elements:


  • Collateral damage potential

  • Target distribution

  • Confidentiality requirement

  • Integrity requirement

  • Availability requirement


(Related reading: Security Misconfiguration and Vulnerability Management)


This blog ends here. While ending the blog, it can be clearly stated that CVSS is one of the most significant ways to measure or rate the severity and risk of computer system security. The numerical score obtained allows for the systematic listing of vulnerabilities on the basis of priority. 


The vulnerability management process has become easier and more organized due to the qualitative representation offered by the metric scores in CVSS. 

Latest Comments