ELI5: What is CVSS?
CVSS gives each weakness a score from 0 to 10, like a danger meter. A 10 means extremely dangerous and needs fixing right now; a 2 means it is not very serious.
Definition
CVSS (Common Vulnerability Scoring System) is an open, industry-standard framework for rating the severity of software vulnerabilities on a scale of 0.0 to 10.0. The score is calculated based on characteristics of the vulnerability itself and the environmental context, enabling organizations to prioritize remediation efforts. Scores are categorized as None (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0).
Key Details
- CVSS scores are calculated from three metric groups: Base, Temporal, and Environmental
- Base metrics: exploitability (attack vector, complexity, privileges required) and impact (confidentiality, integrity, availability)
- Temporal metrics: adjust the Base score based on current exploit availability and remediation status
- Environmental metrics: allow organizations to customize the score for their specific context
- CVSS v3.1 is the current widely-used version; CVSS v4.0 was released in 2023
Connections
- Parent: vulnerability-management — CVSS scores drive vulnerability prioritization decisions
- See also: cve-common-vulnerabilities-and-exposures