Askeal Logo

CVSS (Common Vulnerability Scoring System)

CVSS provides a standardized way to measure the severity of vulnerabilities. It assigns scores from 0 to 10 to help organizations prioritize which flaws to address first.

What is CVSS?How it typically works?Common techniques

What is CVSS?

The **Common Vulnerability Scoring System (CVSS)** is a framework developed by FIRST (Forum of Incident Response and Security Teams) to provide a universal method of rating the severity of security vulnerabilities. Each vulnerability receives a numerical score along with a vector string that explains how the score was calculated. For example, a vulnerability with a score of 9.8 is considered critical, while one with a score of 4.0 is medium. CVSS is often used in combination with CVE identifiers. While CVE gives the vulnerability a name, CVSS quantifies its potential risk, enabling organizations to prioritize remediation efforts.

How it typically works?

  1. Assessment: the vulnerability’s characteristics are analyzed based on defined metrics.
  2. Scoring with metrics:
    • Base metrics measure fundamental qualities of the vulnerability, such as ease of exploitation or impact on confidentiality, integrity, and availability.
    • Temporal metrics account for factors that change over time, such as exploit code availability.
    • Environmental metrics adapt the score to the specific environment, considering business impact and compensating controls.
  3. Calculation: the metrics generate a numerical score between 0 (none) and 10 (critical).
  4. Publication: the CVSS score is shared through NVD or vendor advisories.
  5. Prioritization: organizations use the score to rank vulnerabilities and decide patching schedules.

Common techniques

  • Base metric evaluation: analyzing attack vector (local, adjacent, network), attack complexity, required privileges, and user interaction.
  • Temporal metric adjustment: factoring exploit maturity or availability of remediation.
  • Environmental tuning: organizations adapt the score to reflect local business priorities.
  • Severity categories:
    • None (0.0)