Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

CIAG Research Projects

The Common Vulnerability Scoring System

Principal Investigator: Mike Schiffman

Project Description: To date, several computer security vendors and not-for-profit organizations have developed, promoted, and implemented systems to rank information system vulnerabilities. Unfortunately, there is no cohesion or interoperability among those systems, and they are limited in scope as to what they cover. This document proposes an open and universal vulnerability scoring system to address and solve these shortcomings, with the ultimate goal of promoting a common language to discuss vulnerability severity and impact.

Project Impact: Common Vulnerability Scoring System, CVSS, makes it easy to understand vulnerability severity and urgency. It provides a common language for all stakeholders when discussing vulnerabilities and planning their remediation. CVSS is the new and only open standard in the vulnerability scoring arena. Computer security vendors and coordinators will support it because their users will request it.

Project Details: The ability to score information system vulnerabilities is extremely important to the professional computing world. It provides the foundation for a standard process for stakeholders to prioritize their actions and respond to the threat vulnerabilities present. Prior to this scoring system, several competing, incompatible, and closed vulnerability scoring systems were the only available solutions. This led to a lack of a unified standard and resulted in much confusion when a single vulnerability would be released and was scored differently among the different systems (sometimes resultant scores would be inversely correlated, which made no sense). This document describes the CVSS, an open standard for scoring vulnerabilities.

CVSS is designed to rank information system vulnerabilities and provide an end user with a composite score representing the overall severity and risk the vulnerability presents. Using CVSS, security professionals, executives, and end users will have a common language with which to discuss security vulnerability severity.

Project Deliverables:

  1. A report detailing CVSS background and internals
  2. A reference implementation of CVSS
  3. A document picked up by a standards committee (IETF) to server as the definitive CVSS reference

Status: 100 percent completed. CVSS version 1.0 is completed and delivered. FIRST has taken custodial care of CVSS as it continues to gain industry acceptance and the core team works on improvements.