CVSS (Common Vulnerability Scoring System) is an open standard for assessing the severity of vulnerabilities.
CVSS was developed by the US National Infrastructure Advisory Council (NIAC). Commercial companies, including Microsoft and Cisco, were involved in creating and updating the standard. The Forum of Incident Response and Security Teams (FIRST) maintains the system.
The current version, released in June 2019, is CVSS v3.1.
CVSS Score methodology for vulnerabilities assessment
According to the CVSS standard, vulnerabilities are scored on the basis of a range of metrics. Three metric groups can be singled out:
- Base metrics include general metrics that describe the vulnerability and do not depend on time or specific environment. They are divided into two subgroups:
- Exploitability metrics describe how easy the vulnerability is to exploit. This subgroup includes, for example, the attack vector: some vulnerabilities can be exploited online, that is, from anywhere in the world with Internet access, while others require physical access to the vulnerable device, which makes exploitation hard for a random attacker. Exploitability metrics also include the attack complexity, the need for user interaction, and the level of privileges required to carry out the attack.
- Impact metrics assess the consequences of vulnerability exploitation for the system and data stored in it. For example, can the attackers disable the system, gain access to sensitive data, modify files, etc.?
- Temporal metrics cover external factors that may change over time. For example, the availability of an exploit or, conversely, a patch.
- Environmental metrics do not affect the basic vulnerability score in any way, but can be used to assess the danger to a specific IT environment. The set of environmental metrics include base metrics adjusted for the environment in question. For example, whereas vulnerability exploitation generally requires minimal privileges, in some organizations only administrators may have access to the vulnerable system. Environmental metrics also include metrics that describe how dangerous the potential consequences of vulnerability exploitation are for a particular organization. For example, will a server’s downtime impact the company’s operations, or does the company have a readily available backup server in the event of an incident?
CVSS Score calculation
Based on the metrics, the CVSS Score is calculated using a set of formulas. It can take a value from 0 to 10, with the following severity rating scale:
- 0–10.0 — critical
- 0–8.9 — high
- 0–6.9 — medium
- 1–3.9 — low
- 0 — none
There are online CVSS calculators that simplify the assessment. In particular, the one available on the FIRST website.