This page addresses highlights of the Common Vulnerability Scoring System. Information about CVSS from the Forum of Incident Response and Security Teams (FIRST) is available at https://www.first.org/cvss.
Q: What is CVSS?
A: CVSS refers to the Common Vulnerability Scoring System. It is a vendor-neutral, industry standard that offers an open framework for conveying the severity of vulnerabilities and helping to determine the urgency and priority of responses to vulnerabilities. CVSS also solves the problem of multiple, incompatible scoring systems and is readily usable and comprehensible.
Q: Who developed CVSS?
A: The National Infrastructure Advisory Council (NIAC) commissioned CVSS to support the global Vulnerability Disclosure Framework. CVSS is currently maintained by the Forum of Incident Response and Security Teams (FIRST), and was a combined effort involving many companies, including:
Internet Security Systems
Q: What does CVSS not do?
A: CVSS is not a threat scoring system, a vulnerability database, or a real-time attack scoring system. It is not similar to the U.S. Department of Homeland Security (DHS) National Terrorism Advisory System (NTAS).
Q: What is involved in CVSS?
A: The CVSS model is designed to provide users with an overall composite score representing the severity and risk of a vulnerability. It is derived from metrics and formulas. The metrics are in three distinct categories that can be quantitatively or qualitatively measured. Base metrics contain qualities that are intrinsic to any given vulnerability; these qualities do not change over time or in different environments. Temporal metrics contain characteristics of a vulnerability that evolve over the lifetime of the vulnerability. Environmental metrics contain characteristics of a vulnerability that relate to an implementation in a specific environment.
Q: What is the current version of CVSS?
A: The current version of CVSS is version 3 (CVSSv3). Cisco adopted CVSSv3 in January 2017. Cisco security publications that were initially released prior to the CVSSv3 adoption will reflect scores in CVSSv2.
For more information about Cisco adoption of CVSSv3, see The Evolution of Scoring Security Vulnerabilities: The Sequel.
Q: What are the details of the Base, Temporal, and Environmental metrics?
A: Details and specific metrics for CVSSv3 are described in the FIRST specification document.
Q: How is scoring determined?
A: Scoring is the process of combining all metric values according to specific formulas.
Base scoring is computed by the vendor or originator with the intention of being published and, once set, is not expected to change. Among other parameters, Base scoring is computed from confidentiality, integrity, and availability impact assessments. It serves as the foundation that is modified by the Temporal and Environmental metrics. The Base score has the largest bearing on the final score and represents vulnerability severity.
Temporal scoring is also computed by vendors and coordinators for publication. It modifies the Base score and allows for the introduction of mitigating factors that can reduce the score of a vulnerability. The Temporal score is designed to be reevaluated at specific intervals as a vulnerability ages; it represents vulnerability urgency at specific points in time.
Environmental scoring is optionally computed by end-user organizations. It allows for the introduction of factors that derive from a specific environment and it adjusts the combined Base-Temporal score. This adjusted, combined score should be considered the final score. It represents a moment in time, tailored to a specific environment. Organizations should use this score to prioritize responses within their own environments.
Q: Where can I get the details of the scoring formulas?
Q: Who is using CVSS?
A: NIAC submitted CVSS to the U.S. president in January 2005. DHS and the CVSS developers are encouraging widespread, voluntary adoption. Many organizations have since adopted CVSS, including several NIAC member companies (Akamai, American Water, Symantec, Union Pacific) and other organizations (CERT/CC, Cisco, HP, IBM, NIST, Oracle, Qualys, US-CERT).
Q: I am an end user (CISO/CSO/operations security person). Is there anything I need to do?
A: Typically, application and security product vendors will provide both the Base and Temporal scores. As an end user, you need only calculate your Environmental score.
Q: I am an application or product security vendor. Why should I use CVSS and publish CVSS Temporal scores?
A: As more vendors publish CVSS scores, more customers will understand and appreciate the advantages. They will grow to appreciate the ability to tailor scores to their environment and begin to expect CVSS scores from all their suppliers. The more it is used, the better it works.
Q: I am an end user, and really like other vendors' scoring methods. Why should I change to CVSS?
A: Unlike CVSS, many other systems are closed, competing standards that do not offer a mutable scoring framework and do not consider different environments.
Q: What does CVSS really offer that other scoring methodologies do not?
A: CVSS offers an open framework that can be readily used, understood, and improved upon to score vulnerabilities.
Q: Where can I get the CVSS code?
Q: How can I help establish CVSS throughout the industry?
A: The best way to help establish CVSS is to urge your vendors to support CVSS scoring.
Q: Where can I get more information about CVSS?
A: You can get more information from FIRST, the current custodian for CVSS, at https://www.first.org/cvss.
This document is part of the Cisco Security Center.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.