CVSS Definition

CVSS (Common Vulnerability Scoring System) is a classification designed to provide an open and standard method that allows estimating the impact derived from vulnerabilities identified in Information Technology.

That is, it helps to quantify the severity that these vulnerabilities can represent. Currently, it uses version 2, although the third one is already in development.

CVSS is composed of three groups of metrics; Base, Temporary, and Environmental, each consisting of a set of metrics.

The description of these group metrics are as follows:

  • Base: It represents the intrinsic and fundamental characteristics of a constant vulnerability over time and user environments.
  • Temporary: Represents the characteristics of a changing vulnerability over time, but not between user environments.
  • Environmental: It represents the characteristics of a relevant and unique vulnerability to a particular user environment.

The primary purpose of the CVSS base group is to communicate and define the fundamental characteristics of a vulnerability.

This objective focuses on characterizing vulnerabilities to provide users with a clear and intuitive representation of a vulnerability.

And also, users can invoke the temporary and environmental groups to provide contextual information, which more accurately reflects the risk to a unique environment.

This allows for more informed decisions when trying to mitigate the risks of vulnerabilities.

How does CVSS work?

When the base metrics have assigned values, the base equation calculates a score with a range from 0 to 10, and it creates a vector.

The vector facilitates the “open” nature of the framework. It is a string of text containing the assigned values for each metric and the use of it is to communicate exactly how the score derives for each vulnerability. Therefore the vector must always be shown with the vulnerability score.

  • If desired, the base score can refine by assigning values to the temporal and environmental metrics.
  • This is useful to provide additional context for a vulnerability, with a more accurate reflection of the risk posed by the vulnerability in the user’s environment.
  • However, it does not require this. Depending on the purpose, the base score and the vector may be sufficient.
  • If it needs a summary score the temporary equation could combine temporary metrics with a base score to produce a passing score with a range from 0 to 10.

Likewise, if it needs an environmental score, the environmental equation could combine the environmental metrics with the temporary score to produce an environmental score with a range from 0 to 10.

Who owns the Common Vulnerability Scoring System?

  • CVSS is in custody and care of the Forum of Incident Response and Security Teams (FIRST) or Forum of Incident Response and Security Teams.
  • Not a single organization “owns” CVSS and membership in FIRST does not require the use or implementation of CVSS.
  • The only requirement for organizations is to publish scores according to the guidelines. And provide the score in addition to the score vector, so others can understand how the score was derived.

Who uses CVSS?

Various organizations are using CVSS, and each of them finding value in different ways.

Here are some examples: vulnerability newsletter providers, application software providers, user organizations, vulnerability management and scanning, and researchers.