The Common Vulnerability Scoring System (CVSS) is a public standard that is maintained by the Forum of Incident Response and Security Teams (FIRST) and provides a method for scoring IT-related vulnerabilities. Additional details and documentation on the standard are available at http://www.first.org/cvss.
CVSS rates a vulnerability according to three groups of metrics:
- Base: Describes the severity of the vulnerability from a technical perspective
- Temporal: Indicates how a vulnerability changes over time
- Environmental: Specifies the impact on a specific running system.
This document focuses on how Cisco uses CVSS. To learn more about the individual metrics or the scoring mechanics, please view the official documentation provided by FIRST.
Within Cisco, two groups use CVSS: the Product Security Incident Response Team (PSIRT) and the Cisco analyst team that creates multivendor vulnerability alerts. PSIRT handles security vulnerabilities in all Cisco products. It is the only team tasked with communicating information about vulnerabilities in Cisco products to customers. The Cisco analyst team provides intelligence and analysis for many vendors and products.
A common task for PSIRT and the analyst team is assigning and communicating CVSS scores to Cisco customers. In addition to external communications, PSIRT also uses CVSS as a major component in prioritizing the team’s workload.
The current version of CVSS is Version 3 (CVSSv3). Cisco adopted CVSSv3 in January 2017. For more information about PSIRT adoption of CVSSv3, see The Evolution of Scoring Security Vulnerabilities: The Sequel.
Note: Security publications that were initially released prior to the adoption of CVSSv3 will reflect scores in CVSSv2.
When PSIRT receives a report of a potential vulnerability, PSIRT assigns a Base score to the vulnerability. This initial score is considered preliminary because it is often assigned without actually reproducing the issue described in the report. In scenarios where a vulnerability has a sufficiently high Base score and can be triggered by mobile autonomous code (for example, a virus or worm), a PSIRT manager will immediately start working on the report.
Regardless of the preliminary score, it is recorded with all known information at the time. The preliminary Base score is a major component that determines how soon a PSIRT Incident Manager takes the report from the input queue. Higher-priority cases (those cases with higher Base scores) are usually selected first. To prevent reports with lower scores from remaining in the input queue for too long, the next available Incident Manager may be asked to verify the older reports instead of a more recent report with a higher score.
When a PSIRT Incident Manager begins working on a report, the preliminary score may change. Although the score is assigned before all the facts about a vulnerability are known, the score does not necessarily change. Experience, knowledge of Cisco products, and knowledge of how those products are deployed help Incident Managers assign the correct score at the onset of scoring. Liaisons with other groups within and outside of Cisco are also helpful.
To ensure the most accurate and consistent scoring, the scores are verified by a second Incident Manager. Each report accepted by PSIRT has a primary and a backup owner. The primary owner actively works on the report while the backup owner monitors the situation and provides assistance when required. The primary duties of a backup owner include verifying the CVSS score assigned by the primary Incident Manager.
For reports in which these two scores do not match, the primary and backup Incident Managers reconcile any differences. Differences may occur when aspects of the report are understood differently, or when the backup Incident Manger can provide new insight or additional information that may affect overall report understanding. Whatever situation occurs, the primary and backup managers must agree on a single score.
This process produces the final score and, in nearly all instances, it is the score that will be presented in the Cisco Security Advisory or other PSIRT publication. During review, new information may be uncovered that changes the Base score.
Multivendor alert analysts provide Base and Temporal scores for each multivendor alert. CVSS provides a view into the direct impact of a vulnerability on the host platform running the affected software.
During initial analysis of a vulnerability, the analysts check whether the primary product vendor has issued a CVSS score. If a vendor has provided a CVSS base score, this score is used in the alert. Some vendors also provide Temporal scores for their vulnerabilities. The analysts typically use these vendor-provided Temporal scores for the first version of an alert following the release of the vendor's Temporal score. After an analyst has produced a score, it is integrated into language in the alert summary to align with the metrics of the Base and Temporal scores for a vulnerability.
In some cases, third-party reports or analysts' testing may reveal inconsistencies with the vendor's interpretation of CVSS or application of the score. The analysts use the vendor's Base score, but the Temporal score may be adjusted and a detailed explanation will be included in the alert regarding the adjustment.
Because multivendor alerts are produced as living documents, one alert is produced per vulnerability to ensure that each has an accurate CVSS score. When new or updated vulnerability information is released, the alert is updated. Often, these updates will cause elements of the Temporal score to change. Examples may include the release of public exploits or vendor patches.
Beyond providing the Base and Temporal decimal scores, multivendor alerts also include the shorthand CVSS vector used to derive those scores. The availability of both scores is especially effective for organizations that produce Environmental scores for their networks. With a full shorthand vector from the multivendor alert, organizations can apply security requirements that rely on specific base metrics. The end result is a flexible tool to assist in vulnerability management and risk assessment.
Cisco uses CVSS to provide customers with a single and common scoring system that is used by multiple vendors. In situations where vendors use their own proprietary scoring systems, it can be difficult for customers to determine the relative importance of reported vulnerabilities. The decision maker who must, for example, choose how an "Important" vulnerability in one product relates to an "Easy/Wide" confidentiality impact in another product has a difficult task. CVSS removes the obstacle of multiple scoring systems. Customers can use the same metrics to compare vulnerabilities and make timely, informed decisions on the relative impact to their environments.
This document is part of the Cisco Security portal.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.