This page addresses highlights of the Common Vulnerability Scoring System. The CVSS FAQ from the Forum of Incident Response and Security Teams (FIRST) is available athttp://www.first.org/cvss/faq.
Q: What is CVSS?
A: CVSS refers to the Common Vulnerability Scoring System and is a vendor-neutral, industry standard that conveys vulnerability severity and helps determine urgency and priority of response. It solves the problem of multiple, incompatible scoring systems and is usable and understandable by anyone.
Q: Who developed CVSS?
A: The National Infrastructure Advisory Council (NIAC) commissioned CVSS to support the global Vulnerability Disclosure Framework. CVSS is currently maintained by the Forum of Incident Response and Security Teams (FIRST), http://www.first.org, and was a combined effort involving many companies, including:
Internet Security Systems
Q: What does CVSS not do?
A: CVSS is not a threat scoring system, a vulnerability database, or a real-time attack scoring system. It is not similar to the U.S. Department of Homeland Security (DHS) color warning system.
Q: What is involved in CVSS?
A: The CVSS model is designed to provide end users with an overall composite score representing the severity and risk of a vulnerability. It is derived from metrics and formulas. The metrics are in three distinct categories that can be quantitatively or qualitatively measured. Base metrics contain qualities that are intrinsic to any given vulnerability; these qualities do not change over time or in different environments. Temporal metrics contain characteristics of a vulnerability that evolve over the lifetime of the vulnerability. Environmental metrics contain characteristics of a vulnerability that are related to an implementation in a specific user's environment.
Q: What are the details of the base, temporal, and environmental metrics?
A: Metrics for CVSS version 2 are described in the FIRST CVSS FAQ.
Base scoring is computed by the vendor or originator with the intention of being published, and, once set, is not expected to change. Base scoring is also computed from confidentiality, integrity, and availability. This is the foundation that is modified by the temporal and environmental metrics. The base score has the largest bearing on the final score and represents vulnerability severity.
Temporal scoring is also computed by vendors and coordinators for publication, and modifies the base score. It allows for the introduction of mitigating factors to reduce the score of a vulnerability and is designed to be reevaluated at specific intervals as a vulnerability ages. The temporal score represents vulnerability urgency at specific points in time.
Environment scoring is optionally computed by end-user organizations and adjusts the combined base-temporal score. This adjusted combined score should be considered the final score and represents a moment in time, tailored to a specific environment. User organizations should use this score to prioritize responses within their own environments.
Q: Where can I get the details of the scoring formulas?
A: Scoring details are available in the FIRST online guide.
Q: Who is using CVSS?
A: NIAC submitted CVSS to the U.S. president in January 2005. DHS and the CVSS developers are encouraging widespread, voluntary adoption. Currently several NIAC member companies (Union Pacific, American Water, Symantec, Akamai,) have adopted CVSS, as have other organizations (CERT/CC, US-CERT, Cisco, Qualys).
Q: I am an end user (CISO/CSO/operations security person). Is there anything I need to do?
A: Typically, application and security product vendors will provide both the base and temporal scores. As the end user, you need only calculate your environmental score.
Q: I am an application or product security vendor. Why should I use CVSS and publish CVSS temporal scores?
A: As more vendors begin publishing CVSS scores, more customers will understand and appreciate the advantages. They will grow to appreciate the ability to tailor scores to their environment and begin to expect CVSS scores of all their suppliers. The more it is used, the better it works.
Q: I am an end user, and really like other vendors' scoring methods. Why should I change to CVSS?
A: Other systems are closed, competing standards; do not offer a mutable scoring framework; and do not consider different environments.
Q: Where can I get the CVSS code?
A: CVSS is a framework that you can use to develop an application suitable to your needs, your environment, and your customers. No established code exists yet. However, you may use aweb-based CVSS calculator.
Q: Where can I get more information on CVSS?
A: You can get more information from FIRST, the current custodian for CVSS, at http://www.first.org/cvss/. Documentation on CVSS metrics, formulas, and scoring is available athttp://www.first.org/cvss/cvss-guide.html.
This document is part of the Cisco Security Center.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.