The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS version 4.0 is the next generation of the Common Vulnerability Scoring System standard releases.
CVSS provides a standardized score method to assess and communicate the severity of security vulnerabilities, aiding businesses, service providers, government, and the public in making informed decisions.
The severity of a vulnerability score can be represented by a qualitative rating, such as low, medium, high, or critical. This helps organizations assess and prioritize their vulnerability management processes to defend against cyber attacks.
CVSS consists of four metric groups: Base, Threat, Environmental, and Supplemental.
The Base group represents the intrinsic qualities of a vulnerability that are constant over time and across user environments, the Threat group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user’s environment.
- CVSS is not just the Base Score, so to further highlight this, new nomenclature has been adopted in version 4.0:
- CVSS-B: CVSS Base Score
- CVSS-BT: CVSS Base + Threat Score
- CVSS-BE: CVSS Base + Environmental Score
- CVSS-BTE: CVSS Base + Threat + Environmental Score
CVSS Base Score (CVSS-B) Measures Severity, not Risk
The CVSS Specification Document has been updated to emphasize and clarify the fact that CVSS Base (CVSS-B) scores are designed to measure the severity of a vulnerability and should not be used alone to assess risk.
The CVSS v4.0 Specification Document clearly states that the CVSS Base Score represents only the intrinsic characteristics of a vulnerability and is independent of any factor associated with threat or the computing environment where the vulnerable system resides.
The CVSS Base Score should be supplemented with an analysis of the environment (Environmental Metrics), and with attributes that may change over time (Threat Metrics).
For an organization that employs automated methods to comprehensively utilize the Environmental and Threat metric groups, the resulting CVSS-BTE score can be considered much closer to “Risk”.
Some of the changes incorporated into CVSS v4.0 include:
- Reinforce the concept that CVSS it not just the Base score
- New nomenclature has been added to identify combinations of Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE)
- Finer granularity through the addition of new Base metrics and values:
- New Base metric: Attack Requirements (AT)
- New Base metric values: User Interaction (UI): Passive (P) and Active (A)
- Enhanced disclosure of impact metrics:
- Scope retired
- Explicit assessment of impact to Vulnerable System (VC, VI, VA) and Subsequent Systems (SC, SI, SA)
- Temporal metric group renamed to Threat metric group
- Threat metrics simplified and clarified
- Remediation Level (RL) and Report Confidence (RC) retired
- Exploit “Code” Maturity renamed to Exploit Maturity (E) with clearer values
- New Supplemental Metric Group to convey additional extrinsic attributes of a vulnerability that do not affect the final CVSS-BTE score
- Safety (S)
- Automatable (A)
- Recovery (R)
- Value Density (V)
- Vulnerability Response Effort (RE)
- Provider Urgency (U)
- Additional focus on OT/ICS/Safety
- Consumer-assessed Safety (MSI:S, MSA:S)
- Provider-assessed Safety through Safety (S) supplemental metric
More information about what’s new in CVSS v4.0 is available in PDF format here