CVSS scoring explained
CVSS is the universal language of vulnerability severity. But many security professionals still struggle to score accurately.
Common Vulnerability Scoring System (CVSS) provides a numerical representation of the severity of a security vulnerability. Let's look at how the different metrics combine to create a final score.
1. The Base Score
This represents the intrinsic qualities of a vulnerability. It includes the Exploitability metrics (Attack Vector, Attack Complexity, Privileges Required, User Interaction) and the Impact metrics (Confidentiality, Integrity, Availability).
2. The Temporal Score
This metric reflects the current state of exploitability or remediation. Does a public exploit exist? Is there an official patch available? Temporal scores change over time as the landscape evolves.
3. The Environmental Score
The most overlooked metric. This allows an organization to customize the score based on their specific environment. For example, if an asset is air-gapped, the impact of a networking vulnerability is significantly lowered.
CVSS v4.0: Looking Ahead
The latest version of CVSS focuses on providing more granularity and better representing real-world attack scenarios. It introduces new categories to help security teams make better prioritization decisions.