Authored by: PlexTrac Author Posted on: January 8, 2020 The CVSS v3 Vulnerability Scoring System What is the CVSS Scoring System? CVSS stands for Common Vulnerability Scoring System, and is a way for cyber security professionals to track the vulnerability level of different findings in a simple and easy-to-understand way. Overall, the CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities. This scoring system consists of three metric groups; Base, Temporal, and Environmental. The Base metrics produces a score ranging from 0-10, which can then be modified by scoring the Temporal and Environmental groups. A CVSS score is also represented by a vector string, which is a compress textual representation of all of the values used to derive the overall numerical score. All of this adds up to the CVSS score being a great standard measurement system for organizations, industries, and governments that require accurate and reliable vulnerability scores. Two common uses of the CVSS v3 score include calculating the the severity of vulnerabilities discovered on one’s systems and as a factor in the prioritization of vulnerability remediation strategies. CVSS is owned by FIRST and used by permission. This calculator is based on the official FIRST CVSS documentation. How to Calculate Your CVSS Score Like previously stated, your CVSS v3 score is the summation of three metric groups, being your Base, Temporal, and Environmental levels. This gives you a wide ranging view of your organization, the specific finding, and the vulnerability it exposes your company to. While we will not run through the specific equations used to calculate your CVSS score, we will be going through each of the three metrics groups in the calculation to dissect what they measure. Metric Group 1 – Base Your Base score is crucial to beginning the CVSS calculation. Simply put, the Base calculation works to describe the intrinsic qualities of a vulnerability that are constant over time and across different user environments. These are the constant aspects of the vulnerability, hence the term “Base”. The base calculation takes aspects like the actual attack vector, attack complexity, and the overall impact into consideration. Metric Group 2 – Temporal Once the Base calculation has been determined, it is time to calculate the supplementary Temporal and Environmental aspects of the calculation. The Temporal calculation reflects the characteristics of a vulnerability that change over time. Temporal characteristics include aspects like the remediation level, the exploit code maturity, and the report confidence. Metric Group 3 – Environmental The last aspect of your CVSS calculation is Environmental. The Environmental aspect of the calculation represents the aspects of the vulnerability that are unique to a user’s environment. Environmental aspects for your vulnerability include the modified base metrics, and the confidentiality, integrity, and availability requirements. CVSS v3 Scoring Severity While CVSS v2 only had three level tiers for scoring severity, CVSS v3 now includes 5 for greater accuracy and representation of actual vulnerability severity. The breakdown of the new v3 scores can be seen below: None: 0.0 Low: 0.1-3.9 Medium: 4.0-6.9 High: 7.0-8.9 Critical: 9.0-10.0 While this may go without saying, you will want to prioritize findings with higher CVSS scores first and work down the list. Findings with higher vulnerability scores are more susceptible to attack and compromise, and are areas of higher weakness for your organization. Documenting CVSS Scores in Your Reports Including CVSS v3 scores in your penetration test reports is a great way to solidify your findings and back up your plan for remediation. A simple yet effective way to include severity ratings in your report can be seen in the table below: Why is CVSS Scoring Important? So why should we care about the CVSS scoring system? Overall, the CVSS provides vast amounts of organizations across the world with a simple way to categorize and rank vulnerabilities in their company. Furthermore, the CVSS system is valuable for three very important reasons: The CVSS scoring system provides a standardized vulnerability score for organizations across the industry. This helps critical information flow more effectively between sections within an organization and across organizations. The formula for calculating the CVSS score is open and freely accessible to anyone. This provides clarity and transparency for understanding the scores and how they were calculated. The CVSS system helps prioritize risk. The scores show you the risk associated with each vulnerability identified, which allows you to delegate and prioritize accordingly. Also, the CVSS system provides both simple and more specific metrics, allowing you the freedom to determine scores based on a variety of circumstances. PlexTrac Author At PlexTrac, we bring together insights from a diverse range of voices. Our blog features contributions from industry experts, ethical hackers, CTOs, influencers, and PlexTrac team members—all sharing valuable perspectives on cybersecurity, pentesting, and risk management.
Better Together: CTEM Vendors That Play Nice—and Win Big—Together Exploring NodeZero, Pentera, and PlexTrac for next-gen threat management. Let’s be honest, the cybersecurity tools in your belt keep growing. Then again, so do the cyber threats. How do you... READ ARTICLE
The Most Popular Penetration Testing Tools in 2025: 30 Products to Support Your Pentesting Efforts This Year Penetration testing is a crucial part of cybersecurity and involves finding and exploiting vulnerabilities in networks, applications, systems, or physical environments before the bad actors can. Penetration testing also plays... READ ARTICLE
The CVE Program Regains Funding: A Critical Juncture for Global Cybersecurity If you’ve spent any amount of time in cybersecurity, you’ve likely encountered the CVE (Common Vulnerabilities and Exposures) Program. It’s a foundational piece of how we identify and talk about... READ ARTICLE