Definition

CVSS (Common Vulnerability Scoring System)

The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of security vulnerabilities in software. Operated by the Forum of Incident Response and Security Teams (FIRST), the CVSS uses an algorithm to determine three severity rating scores: Base, Temporal and Environmental. The scores are numeric; they range from 0.0 through 10.0 with 10.0 being the most severe.

The Base score is the metric most relied upon by enterprises and deals with the inherent qualities of a vulnerability. The Temporal scores represent the qualities of the vulnerability that change over time, and the Environmental score represents the qualities of the vulnerability that are specific to the affected user's environment. According to the most recent version of the CVSS, v3.0, a score of 0.0 receives a "None" rating; a 0.1-3.9 score gets a "Low" severity rating; a score of 4.0-6.9 is a "Medium" rating; score of 7.0-8.9 is a "High" rating; and a score of 9.0 - 10.0 is a "Critical" rating.

The CVSS allows organizations to prioritize which vulnerabilities to fix first and gauge the impact of the vulnerabilities on their systems. Many organizations use the CVSS, and the National Vulnerability Database provides scores for most known vulnerabilities. According to the NVD, a CVSS base score of 0.0-3.9 is considered "Low" severity; a base CVSS score of 4.0-6.9 is "Medium" severity; and base score of 7.0-10.0 is "High" severity.

The CVSS was introduced in 2005 by the National Infrastructure Advisory Council (NIAC), which turned over management and development of the standard to FIRST. The current version, CVSS 3.0, was introduced in June of 2015. As a free and open standard, several vendors such as Oracle have customized their own versions of the CVSS.

This was last updated in August 2016

Continue Reading About CVSS (Common Vulnerability Scoring System)

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your organization use the CVSS to prioritize vulnerability mitigations? Why or why not?
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close