Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
CVSS is not a measure of risk.
CVSS v2.0 and CVSS v3.x consist of three metric groups: Base, Temporal, and Environmental. CVSS v4.0 is a bit different and consists of Base, Threat, Environmental and Supplemental metric groups. Metrics result in a numerical score ranging from 0 to 10. A CVSS assessment is also represented as a vector string, a compressed textual representation of the values used to derive the score.
The CVSS specifications are owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. The official CVSS documentation can be found at https://www.first.org/cvss/.
CVSS Ratings
Score | Severity |
---|---|
0.1 - 3.9 | Low |
4.0 - 6.9 | Medium |
7.0 - 10.0 | High |
Score | Severity |
---|---|
0.1 - 3.9 | Low |
4.0 - 6.9 | Medium |
7.0 - 8.9 | High |
9.0 - 10.0 | Critical |
Score | Severity |
---|---|
0.1 - 3.9 | Low |
4.0 - 6.9 | Medium |
7.0 - 8.9 | High |
9.0 - 10.0 | Critical |
CVSS Specifications
- CVSS v4.0 Specification
- https://www.first.org/cvss/v4.0/specification-document
- CVSS v3.1 Specification
- https://www.first.org/cvss/v3.1/specification-document
- CVSS v3.0 Specification
- https://www.first.org/cvss/v3.0/specification-document
- CVSS v2.0 Complete Guide
- https://www.first.org/cvss/v2/guide