The CVSS v3 Vulnerability Scoring System

What is the CVSS Scoring System?

CVSS stands for Common Vulnerability Scoring System, and is a way for cyber security professionals to track the vulnerability level of different findings in a simple and easy-to-understand way. Overall, the CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities. This scoring system consists of three metric groups; Base, Temporal, and Environmental.  The Base metrics produces a score ranging from 0-10, which can then be modified by scoring the Temporal and Environmental groups.

A CVSS score is also represented by a vector string, which is a compress textual representation of all of the values used to derive the overall numerical score. All of this adds up to the CVSS score being a great standard measurement system for organizations, industries, and governments that require accurate and reliable vulnerability scores.

Two common uses of the CVSS v3 score include calculating the the severity of vulnerabilities discovered on one’s systems and as a factor in the prioritization of vulnerability remediation strategies.

How to Calculate Your CVSS Score

Like previously stated, your CVSS v3 score is the summation of three metric groups, being your Base, Temporal, and Environmental levels. This gives you a wide ranging view of your organization, the specific finding, and the vulnerability it exposes your company to. While we will not run through the specific equations used to calculate your CVSS score, we will be going through each of the three metrics groups in the calculation to dissect what they measure.

Metric Group 1 - Base

Your Base score is crucial to beginning the CVSS calculation. Simply put, the Base calculation works to describe the intrinsic qualities of a vulnerability that are constant over time and across different user environments. These are the constant aspects of the vulnerability, hence the term “Base”. The base calculation takes aspects like the actual attack vector, attack complexity, and the overall impact into consideration.

Metric Group 2 - Temporal

Once the Base calculation has been determined, it is time to calculate the supplementary Temporal and Environmental aspects of the calculation. The Temporal calculation reflects the characteristics of a vulnerability that change over time. Temporal characteristics include aspects like the remediation level, the exploit code maturity, and the report confidence.

Metric Group 3 - Environmental

The last aspect of your CVSS calculation is Environmental. The Environmental aspect of the calculation represents the aspects of the vulnerability that are unique to a user’s environment. Environmental aspects for your vulnerability include the modified base metrics, and the confidentiality, integrity, and availability requirements.

CVSS v3 Scoring Severity

While CVSS v2 only had three level tiers for scoring severity, CVSS v3 now includes 5 for greater accuracy and representation of actual vulnerability severity. The breakdown of the new v3 scores can be seen below:

  • None: 0.0
  • Low: 0.1-3.9
  • Medium: 4.0-6.9
  • High: 7.0-8.9
  • Critical: 9.0-10.0

While this may go without saying, you will want to prioritize findings with higher CVSS scores first and work down the list. Findings with higher vulnerability scores are more susceptible to attack and compromise, and are areas of higher weakness for your organization.

Documenting CVSS Scores in Your Reports

Including CVSS v3 scores in your penetration test reports is a great way to solidify your findings and back up your plan for remediation. A simple yet effective way to include severity ratings in your report can be seen in the table below:

Why is CVSS Scoring Important?

So why should we care about the CVSS scoring system? Overall, the CVSS provides vast amounts of organizations across the world with a simple way to categorize and rank vulnerabilities in their company. Furthermore, the CVSS system is valuable for three very important reasons:

  • The CVSS scoring system provides a standardized vulnerability score for organizations across the industry. This helps critical information flow more effectively between sections within an organization and across organizations.
  • The formula for calculating the CVSS score is open and freely accessible to anyone. This provides clarity and transparency for understanding the scores and how they were calculated.
  • The CVSS system helps prioritize risk. The scores show you the risk associated with each vulnerability identified, which allows you to delegate and prioritize accordingly. Also, the CVSS system provides both simple and more specific metrics, allowing you the freedom to determine scores based on a variety of circumstances.

Check Out Our Latest Posts