Common Vulnerability Scoring System (CVSS)
Threat IntelligenceDefinition
Standardized system for rating IT vulnerabilities' severity and prioritization.
Technical Details
The Common Vulnerability Scoring System (CVSS) is a standardized framework used to assess the severity of security vulnerabilities in software and hardware. It provides a numerical score ranging from 0 to 10, where a higher score indicates a more severe vulnerability. CVSS scores are calculated based on three metric groups: Base, Temporal, and Environmental metrics. The Base metric group evaluates intrinsic characteristics of a vulnerability, such as exploitability and impact on confidentiality, integrity, and availability. Temporal metrics assess the current state of the vulnerability, including the availability of a fix. Environmental metrics consider the specific environment in which the vulnerability exists, allowing organizations to tailor the score to their context. CVSS is widely used in vulnerability management and risk assessment processes.
Practical Usage
In practice, CVSS is employed by security teams to prioritize vulnerabilities based on their severity, allowing organizations to allocate resources effectively to mitigate risks. For instance, organizations can use CVSS scores to determine which vulnerabilities to address first in their patch management strategies or to inform stakeholders about the potential impact of vulnerabilities on their systems. Many vulnerability databases, such as the National Vulnerability Database (NVD), provide CVSS scores for reported vulnerabilities, making it easier for organizations to assess and respond to security risks.
Examples
- A vulnerability in a popular web application framework is assigned a CVSS score of 9.8, indicating critical severity. The organization using this framework prioritizes patching this vulnerability over lower-scoring issues.
- A security analyst reviews the CVSS scores of vulnerabilities identified during a penetration test and decides to focus remediation efforts on those with scores above 7.0, which are deemed high-risk.
- A cybersecurity firm publishes a report on newly discovered vulnerabilities, including their CVSS scores, helping organizations understand which vulnerabilities pose the greatest threat and require immediate attention.