This page addresses highlights of the Common Vulnerability Scoring System. Information about CVSS from the Forum of Incident Response and Security Teams (FIRST) is available at https://www.first.org/cvss.
Q: What is CVSS?
A: CVSS refers to the Common Vulnerability Scoring System and is a vendor-neutral, industry standard that conveys vulnerability severity and helps determine urgency and priority of response. It solves the problem of multiple, incompatible scoring systems and is usable and understandable by anyone.
Q: Who developed CVSS?
A: The National Infrastructure Advisory Council (NIAC) commissioned CVSS to support the global Vulnerability Disclosure Framework. CVSS is currently maintained by the Forum of Incident Response and Security Teams (FIRST), http://www.first.org, and was a combined effort involving many companies, including:
Internet Security Systems
Q: What does CVSS not do?
A: CVSS is not a threat scoring system, a vulnerability database, or a real-time attack scoring system. It is not similar to the U.S. Department of Homeland Security (DHS) National Terrorism Advisory System (NTAS).
Q: What is involved in CVSS?
A: The CVSS model is designed to provide end users with an overall composite score representing the severity and risk of a vulnerability. It is derived from metrics and formulas. The metrics are in three distinct categories that can be quantitatively or qualitatively measured. Base metrics contain qualities that are intrinsic to any given vulnerability; these qualities do not change over time or in different environments. Temporal metrics contain characteristics of a vulnerability that evolve over the lifetime of the vulnerability. Environmental metrics contain characteristics of a vulnerability that are related to an implementation in a specific user's environment.
Q: What is the current version of CVSS?
A: The current version of CVSS is version 3. Cisco is currently using version 2. Cisco will begin to adopt CVSSv3 for assessing security vulnerabilities in the fourth quarter of calendar year 2016. Please see The Evolution of Scoring Security Vulnerabilities for more information.
Q: What are the details of the base, temporal, and environmental metrics?
Q: How is scoring determined?
A: Scoring is the process of combining all metric values according to specific formulas.
Base scoring is computed by the vendor or originator with the intention of being published, and, once set, is not expected to change. Base scoring is also computed from confidentiality, integrity, and availability. This is the foundation that is modified by the temporal and environmental metrics. The base score has the largest bearing on the final score and represents vulnerability severity.
Temporal scoring is also computed by vendors and coordinators for publication, and modifies the base score. It allows for the introduction of mitigating factors to reduce the score of a vulnerability and is designed to be reevaluated at specific intervals as a vulnerability ages. The temporal score represents vulnerability urgency at specific points in time.
Environment scoring is optionally computed by end-user organizations and adjusts the combined base-temporal score. This adjusted combined score should be considered the final score and represents a moment in time, tailored to a specific environment. User organizations should use this score to prioritize responses within their own environments.
Q: Where can I get the details of the scoring formulas?
Q: Who is using CVSS?
A: NIAC submitted CVSS to the U.S. president in January 2005. DHS and the CVSS developers are encouraging widespread, voluntary adoption. Currently several NIAC member companies (Union Pacific, American Water, Symantec, Akamai,) have adopted CVSS, as have other organizations (CERT/CC, US-CERT, Cisco, Qualys).
Q: I am an end user (CISO/CSO/operations security person). Is there anything I need to do?
A: Typically, application and security product vendors will provide both the base and temporal scores. As the end user, you need only calculate your environmental score.
A: As more vendors begin publishing CVSS scores, more customers will understand and appreciate the advantages. They will grow to appreciate the ability to tailor scores to their environment and begin to expect CVSS scores of all their suppliers. The more it is used, the better it works.
Q: I am an end user, and really like other vendors' scoring methods. Why should I change to CVSS?
A: Other systems are closed, competing standards; do not offer a mutable scoring framework; and do not consider different environments.
Q: What does CVSS really offer that other scoring methodologies do not?
A: CVSS offers an open framework that can be used, understood, and improved upon by anyone to score vulnerabilities.
Q: Where can I get the CVSS code?
Q: How can I help establish CVSS throughout the industry?
A: Urge your vendors to support CVSS scoring.
Q: Where can I get more information about CVSS?
A: You can get more information from FIRST, the current custodian for CVSS, at https://www.first.org/cvss.
This document is part of the Cisco Security Center.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.