Common Vulnerability Scoring System Q & A

Q: What is CVSS?
A: CVSS refers to the Common Vulnerability Scoring System and is a vendor-neutral, industry standard that conveys vulnerability severity and helps determine urgency and priority of response. It solves the problem of multiple, incompatible scoring systems and is usable and understandable by anyone.

[Return to Top]

Q: Who developed CVSS?
A: The National Infrastructure Advisory Council (NIAC) commissioned CVSS to support the global Vulnerability Disclosure Framework. CVSS is currently maintained by the Forum of Incident Response and Security Teams (FIRST), http://www.first.org, and was a combined effort involving many companies, including:

CERT/CC
Cisco Systems
DHS/MITRE
eBay
Internet Security Systems
Microsoft
Qualys
Symantec

[Return to Top]

Q: What does CVSS not do?
A: CVSS is not a threat scoring system, a vulnerability database, or a real-time attack scoring system. It is not similar to the U.S. Department of Homeland Security (DHS) color warning system.

[Return to Top]

Q: What is involved in CVSS?
A: The CVSS model is designed to provide end users with an overall composite score representing the severity and risk of a vulnerability. It is derived from metrics and formulas. The metrics are in three distinct categories that can be quantitatively or qualitatively measured. Base metrics contain qualities that are intrinsic to any given vulnerability; these qualities do not change over time or in different environments. Temporal metrics contain characteristics of a vulnerability that evolve over the lifetime of the vulnerability. Environmental metrics contain characteristics of a vulnerability that are related to an implementation in a specific user's environment.

[Return to Top]

Q: What is the current version of CVSS?
A: The current version of CVSS is version 2.

[Return to Top]

Q: What are the details of the base, temporal, and environmental metrics?
A: Metrics for CVSS version 2 are described in the FIRST CVSS FAQ.

[Return to Top]

Q: How is scoring determined?
A: Scoring is the process of combining all metric values according to specific formulas.

Base scoring is computed by the vendor or originator with the intention of being published, and, once set, is not expected to change. Base scoring is also computed from confidentiality, integrity, and availability. This is the foundation that is modified by the temporal and environmental metrics. The base score has the largest bearing on the final score and represents vulnerability severity.

Temporal scoring is also computed by vendors and coordinators for publication, and modifies the base score. It allows for the introduction of mitigating factors to reduce the score of a vulnerability and is designed to be reevaluated at specific intervals as a vulnerability ages. The temporal score represents vulnerability urgency at specific points in time.

Environment scoring is optionally computed by end-user organizations and adjusts the combined base-temporal score. This adjusted combined score should be considered the final score and represents a moment in time, tailored to a specific environment. User organizations should use this score to prioritize responses within their own environments.

[Return to Top]

Q: Where can I get the details of the scoring formulas?
A: Scoring details are available in the FIRST online guide.

[Return to Top]

Q: Who is using CVSS?
A: NIAC submitted CVSS to the U.S. president in January 2005. DHS and the CVSS developers are encouraging widespread, voluntary adoption. Currently several NIAC member companies (Union Pacific, American Water, Symantec, Akamai,) have adopted CVSS, as have other organizations (CERT/CC, US-CERT, Cisco, Qualys).

[Return to Top]

Q: I am an end user (CISO/CSO/operations security person). Is there anything I need to do?
A: Typically, application and security product vendors will provide both the base and temporal scores. As the end user, you need only calculate your environmental score.

[Return to Top]

Q: I am an application or product security vendor. Why should I use CVSS and publish CVSS temporal scores?
A: As more vendors begin publishing CVSS scores, more customers will understand and appreciate the advantages. They will grow to appreciate the ability to tailor scores to their environment and begin to expect CVSS scores of all their suppliers. The more it is used, the better it works.

[Return to Top]

Q: I am an end user, and really like other vendors' scoring methods. Why should I change to CVSS?
A: Other systems are closed, competing standards; do not offer a mutable scoring framework; and do not consider different environments.

[Return to Top]

Q: What does CVSS really offer that other scoring methodologies do not?
A: CVSS offers an open framework that can be used, understood, and improved upon by anyone to score vulnerabilities.

[Return to Top]

Q: Where can I get the CVSS code?
A: CVSS is a framework that you can use to develop an application suitable to your needs, your environment, and your customers. No established code exists yet. However, you may use a web-based CVSS calculator.

[Return to Top]

Q: How can I help establish CVSS throughout the industry?
A: Urge your vendors to support CVSS scoring.

[Return to Top]

Q: Where can I get more information on CVSS?
A: You can get more information from FIRST, the current custodian for CVSS, at http://www.first.org/cvss/. Documentation on CVSS metrics, formulas, and scoring is available at http://www.first.org/cvss/cvss-guide.html.

[Return to Top]


This document is part of the Cisco Security Center.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top

Cisco Security Center