Common Vulnerability Scoring System

Common Vulnerability Scoring System
Abbreviation	CVSS
Status	Active
First published	February 2005
Latest version	4.0
Organization	Forum of Incident Response and Security Teams
Domain	Information security
Website	www.first.org/cvss/

The Common Vulnerability Scoring System (CVSS) is a technical standard for assessing the severity of vulnerabilities in computing systems. Scores are calculated based on a formula with several metrics that approximate ease and impact of an exploit. Scores range from 0 to 10, with 10 being the most severe. While many use only the CVSS Base score for determining severity, temporal and environmental scores also exist, to factor in availability of mitigations and how widespread vulnerable systems are within an organization, respectively.

The current version of CVSS (CVSSv4.0) was released in November 2023.^[1]

CVSS is not intended to be used as a method for patch management prioritization, but is used like that regardless.^[2] A more effective approach is to integrate CVSS with predictive models like the Exploit Prediction Scoring System (EPSS), which helps prioritize remediation efforts based on the likelihood of real-world exploitation.^[3]

^ "FIRST has officially published the latest version of the Common Vulnerability Scoring System (CVSS v4.0)". FIRST. Archived from the original on 2023-11-01.
^ Spring, J. M.; Hatleback, E.; Manion, A.; Shick, D. (December 2018). "Towards improving CVSS" (PDF). Carnegie Mellon University Technical Reports.
^ Jacobs, Jay; Romanosky, Sasha; Suciu, Octavian; Edwards, Benjamin; Sarabi, Armin (2023). "Enhancing Vulnerability Prioritization: Data-Driven Exploit Predictions with Community-Driven Insights". arXiv:2302.14172 [cs.CR].

[cvss4.0-1] "FIRST has officially published the latest version of the Common Vulnerability Scoring System (CVSS v4.0)". FIRST. Archived from the original on 2023-11-01.

[2] Spring, J. M.; Hatleback, E.; Manion, A.; Shick, D. (December 2018). "Towards improving CVSS" (PDF). Carnegie Mellon University Technical Reports.

[3] Jacobs, Jay; Romanosky, Sasha; Suciu, Octavian; Edwards, Benjamin; Sarabi, Armin (2023). "Enhancing Vulnerability Prioritization: Data-Driven Exploit Predictions with Community-Driven Insights". arXiv:2302.14172 [cs.CR].

[1]

[2]

[3]