CVSS stands for Common Vulnerability Scoring System, and is a way for cyber security professionals to track the vulnerability level of different findings in a simple and easy-to-understand way. Overall, the CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities. This scoring system consists of three metric groups; Base, Temporal, and Environmental. The Base metrics produces a score ranging from 0-10, which can then be modified by scoring the Temporal and Environmental groups.
A CVSS score is also represented by a vector string, which is a compress textual representation of all of the values used to derive the overall numerical score. All of this adds up to the CVSS score being a great standard measurement system for organizations, industries, and governments that require accurate and reliable vulnerability scores.
Two common uses of the CVSS v3 score include calculating the the severity of vulnerabilities discovered on one’s systems and as a factor in the prioritization of vulnerability remediation strategies.
Like previously stated, your CVSS v3 score is the summation of three metric groups, being your Base, Temporal, and Environmental levels. This gives you a wide ranging view of your organization, the specific finding, and the vulnerability it exposes your company to. While we will not run through the specific equations used to calculate your CVSS score, we will be going through each of the three metrics groups in the calculation to dissect what they measure.
Your Base score is crucial to beginning the CVSS calculation. Simply put, the Base calculation works to describe the intrinsic qualities of a vulnerability that are constant over time and across different user environments. These are the constant aspects of the vulnerability, hence the term “Base”. The base calculation takes aspects like the actual attack vector, attack complexity, and the overall impact into consideration.
Once the Base calculation has been determined, it is time to calculate the supplementary Temporal and Environmental aspects of the calculation. The Temporal calculation reflects the characteristics of a vulnerability that change over time. Temporal characteristics include aspects like the remediation level, the exploit code maturity, and the report confidence.
The last aspect of your CVSS calculation is Environmental. The Environmental aspect of the calculation represents the aspects of the vulnerability that are unique to a user’s environment. Environmental aspects for your vulnerability include the modified base metrics, and the confidentiality, integrity, and availability requirements.
While CVSS v2 only had three level tiers for scoring severity, CVSS v3 now includes 5 for greater accuracy and representation of actual vulnerability severity. The breakdown of the new v3 scores can be seen below:
While this may go without saying, you will want to prioritize findings with higher CVSS scores first and work down the list. Findings with higher vulnerability scores are more susceptible to attack and compromise, and are areas of higher weakness for your organization.
Including CVSS v3 scores in your penetration test reports is a great way to solidify your findings and back up your plan for remediation. A simple yet effective way to include severity ratings in your report can be seen in the table below:
So why should we care about the CVSS scoring system? Overall, the CVSS provides vast amounts of organizations across the world with a simple way to categorize and rank vulnerabilities in their company. Furthermore, the CVSS system is valuable for three very important reasons: