What is CVSS?

CVSS is a standardized framework for rating the severity of security vulnerabilities on a 0-10 scale, enabling consistent prioritization across vulnerability management programs.

What is CVSS?

CVSS (Common Vulnerability Scoring System) is an open framework for communicating the characteristics and severity of software vulnerabilities. It produces a numerical score from 0.0 to 10.0 reflecting severity, with qualitative ratings of None, Low, Medium, High, and Critical. CVSS is maintained by FIRST and widely used across the cybersecurity industry.

How is a CVSS score calculated?

CVSS scores are calculated from the Base metric group evaluating exploitability (attack vector, complexity, privileges required, user interaction) and impact (confidentiality, integrity, availability). Optional Temporal metrics adjust for exploit maturity and remediation level, while Environmental metrics customize scores to organizational context.

What are the CVSS severity levels?

CVSS v3.1 defines five severity levels: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0). These qualitative ratings help organizations establish remediation SLAs, with Critical vulnerabilities typically requiring immediate patching and Low vulnerabilities addressed in regular maintenance cycles.

What is the difference between CVSS v3.1 and v4.0?

CVSS v4.0 introduces additional metric groups including Supplemental metrics for safety and automatable assessment, refined attack complexity, and explicit attack requirements. It provides more granular scoring with separate Base, Threat, and Environmental scores, and better addresses vulnerabilities in OT/ICS/IoT environments.

Should CVSS be the only factor in vulnerability prioritization?

CVSS alone is insufficient for prioritization. Organizations should combine CVSS with asset criticality, exploit availability in the wild (EPSS scores), data sensitivity, network exposure, compensating controls, and business context. A CVSS 7.0 vulnerability on an internet-facing payment system is far more urgent than a CVSS 9.0 on an isolated test server.

What is EPSS and how does it complement CVSS?

EPSS (Exploit Prediction Scoring System) predicts the probability that a vulnerability will be exploited in the wild within 30 days. While CVSS measures theoretical severity, EPSS measures exploitation likelihood. Combining both enables risk-based prioritization focusing on vulnerabilities that are both severe and likely to be actively exploited.

How do penetration testers use CVSS?

Penetration testers use CVSS to consistently rate discovered vulnerabilities in reports, enabling clients to compare findings across assessments and vendors. Testers often supplement Base scores with Environmental adjustments reflecting the client's specific context, ensuring severity ratings accurately reflect actual risk to the organization.

What are common criticisms of CVSS?

Common criticisms include that Base scores do not reflect real-world exploitation likelihood, the scoring system can overrate theoretical severity, Environmental scoring is rarely used, the formula produces score clustering around Medium/High ranges reducing differentiation, and it does not account for exploit chain combinations or business context adequately.