PlexTrac ConceptsCommon Vulnerability Scoring System (CVSS Score)

A CVSS score isn’t how much you save at the bottom of a really long pharmacy receipt, although those are quite comical. CVSS stands for Common Vulnerability Scoring System (CVSS), a well-known and widely used cybersecurity framework for ranking security vulnerabilities.

While the CVSS scoring system is inarguably beneficial, solely relying on the CVSS framework is like having a fishing boat without a compass or sonar. It’s great to have in your cybersecurity tool belt, but you need to be aware of potential blind spots, shortcomings, and risks that come with CVSS scoring without proper business context.

In this article, we’ll discuss the ins and outs of CVSS, including the good, the bad, and the ugly.

You’ll learn:

• What is CVSS in cyber security
• What you need to know about implementing the latest developments, like CVSS 4.0
• How to leverage a CVSS scoring calculator
• How the CVSS scoring system has evolved and why it matters for you
• How to refine your vulnerability management program to reduce risks
• Why CVSS scores aren’t enough and where their limits lie
• What are the common misuses of CVSS, and how to avoid them
• How to amplify your security program with the business context
• What our predictions are for future risk-based scoring

Common Vulnerability Scoring System (CVSS) has been a standard cybersecurity framework for assessing and managing vulnerabilities. Its easy-to-understand numeric scoring system makes decision-making for executives and security professionals quicker and more effective.

Still, it is not a silver bullet. Leveraging CVSS calculations without considering environmental and business context can result in less than ideal risk prioritization, misdirected resources, and ineffective remediation efforts.

Layering vulnerability and threat exposure management tools, like PlexTrac, Tenable’s Nessus, and OpenVAS, can further expand upon CVSS scoring by adding additional factors into the risk scoring like better threat intelligence, environmental context, and business impact analysis for smarter remediation decisions.

First off, what is the common vulnerability scoring system (CVSS)? CVSS is a free and open standardized method for tracking the severity of security vulnerabilities. It provides a simple way to capture the characteristics of a vulnerability and score the vulnerability by severity, which can then be translated into a qualitative representation, such as low, medium, high, and critical.

If you want to learn more about CVSS, check out our prior articles on CVSS 3.0 and CVSS 3.1.

According to the creators, FIRST defines CVSS (Common Vulnerability Scoring System) as an “open framework for communicating the characteristics and severity of software vulnerabilities.” Breaking it down further, a CVSS score is the compilation of those characteristics divided into four metric groups: Base, Threat, Environmental, and Supplemental. CVSS is designed to provide a numeric way to rank the severity of a vulnerability. The CVSS score ranges from 0 to 10.

Forum of Incident Response and Security Teams (FIRST) developed the CVSS cybersecurity framework as a universal language for security teams to help prioritize potential risks based on severity. The constant flood of vulnerabilities that defenders face daily can be overwhelming, and having a way to properly sort, evaluate, and tackle the threats is critical for accurate security resource allocation.

Not only that, but giving vulnerabilities a CVSS score enables better communication and collaboration between stakeholders. Security analysts, developers, managers, and leadership can all understand the numerical vulnerability scale to make better business decisions, from risk management to strategic planning.

Interested in calculating your CVSS score? Contact us, and we’ll show you how the Plextrac platform leverages the latest CVSS scoring calculator for v4, and older versions like v3.1, for your convenience.

CVSS became the standard for security teams because of its straightforward numeric framework. Seeing a clear number on a risk scale helps red teamers, blue teamers, and executives communicate effectively about the potential threats and adapt protocols to strengthen their security posture.

Not only that, CVSS helps teams assess third-party vendors and partners for potential security risks and ensure they meet the required security standards. CVSS also demonstrates efforts to meet compliance and can be measured over time to track ongoing improvements.

Additionally, CVSS scoring enables developers and product managers to discover vulnerabilities early in the development lifecycle, which is often overlooked in the development stage. Addressing vulnerabilities earlier can help reduce risks, launch products faster, and minimize post-launch bug fixes.

Overall, CVSS consistently ranks vulnerabilities, so no matter which team you reside on, you can prioritize risks at scale and effectively allocate resources to address the greatest threats and minimize impact before a potential breach.

CVSS works through the assessment of vulnerabilities by measurable factors, then a score is given for each question around the vulnerability that can be summed up with a CVSS calculator to form a final severity rating, ranging from 0 to 10. A vulnerability with a high CVSS score might prompt immediate remediation, while a lower score may indicate that the vulnerability can be resolved later through routine maintenance — but that isn’t always the case.

Here’s a quick overview of how CVSS works:

1. You’ll identify the vulnerability, gather intel on it, and answer the CVSS metric questions.
2. Every question has a pre-calculated value. For example, a network issue has a higher risk score than a physical security issue.
3. Once all the questions are answered, a value for the Base Score is created.
4. Then the score should be refined by Threat, Environmental, and Supplemental metrics.
5. A CVSS calculator can generate a final score between 0 and 10 with its priority rating.
6. Pro tip: Be sure to adjust your scores based on context surrounding your environment.

What Metrics Are Measured in the CVSS Scoring System?

As mentioned, the latest CVSS 4.0 groups metrics into four categories: Base, Threat, Environmental, and Supplemental. We’ve simplified FIRST’s Common Vulnerability Scoring System version 4.0: Specification Document so you can better and more quickly understand the metrics behind a CVSS score.

Figure 1 CVSS Metric Groups as cited by FIRST

Base Metric Group

The Base metric group encompasses overall characteristics of a vulnerability that remain consistent over time and across environments. Within this group, there are two subsets: Exploitability metrics and Impact metrics.

The Exploitable Base Metric Group helps security teams assess the vulnerability assets and their ease of exploitability.

Exploitable Base metrics include:

• Attack vector: Span of an exploit and how far an attacker can reach
• Attack complexity: Difficulty of alignment for an attack to be successful
• Attack requirements: Amount of preparation needed for exploitation
• Privileges Required: Level of access required to exploit the vulnerability
• User Interaction: Actions needed from someone else to initiate an attack

The Impact metrics define the repercussions of an exploit and how the vulnerability can snowball.

The Impact Base metrics include:

• Vulnerable system confidentiality: Amount of sensitive data on the affected system that could be exposed.
• Vulnerable system integrity: Potential for accuracy and trustworthiness of data of the affected system to be altered.
• Vulnerable system availability: Measurement of availability or uptime of system impact.
• Subsequent system confidentiality: Amount of sensitive data on connected systems could be exposed.
• Subsequent system integrity: Potential for accuracy and trustworthiness of data within the connected systems that could be altered.
• Subsequent system availability: Measurement of availability or uptime of connected systems that could be impacted.

Threat Metric Group

The Threat metric group embodies vulnerability characteristics that may change over time or across user environments. Given that these can deviate, the values in this category may change over time.

Threat metrics include:

• Exploit maturity: Development and availability of an exploit in real life, which includes technical and non-technical aspects.

Environmental Metric Group

As it sounds, the Environmental metric group represents vulnerability attributes as they pertain to an organization’s environment, such as the infrastructure, protocols, and security controls in place to prevent exploitation.

Environmental metrics include:

• • Modified Base Metrics based on the environment
    (All of these are defined in the Base metrics section.)

• Attack vector

• Attack complexity 

• Attack requirements

• Privileges required 

• User interaction

• Vulnerable system confidentiality

• Vulnerable system integrity 

• Vulnerability system availability 

• Subsequent system confidentiality

• Subsequent system integrity

• Subsequent system availability 

Supplemental Metric Group

The Supplemental metric group adds context to assess extrinsic vulnerability characteristics that are decided by the CVSS user. This enables the security team or end-user to rank the severity of risk analysis for these metrics. These metrics don’t drastically impact the final CVSS score, but it does allow the user to assign the impact of each metric in their system.

Supplemental metrics include:

• Automateable: Measurement of repeatability or scalability via automation
• Recovery: Assess the ability to restore operations to normal after an attack
• Safety: Determine if the vulnerability will put anyone in physical danger
• Value Density: Analyze the valuable data accessibility from an attack
• Vulnerability Response Effort: Amount of work required to fix the vulnerability
• Provider Urgency: Rate the gravity of the vulnerability repair1

Need help calculating your CVSS score? Contact us to leverage the PlexTrac CVSS calculator.

How Is CVSS Cyber Security Score Calculated?

You calculate a CVSS score through the four metric groups: Base, Supplemental, Environmental (basic and security), and Threat. The formula for calculating your CVSS score is open and freely accessible. However, the formula isn’t simply defined; rather, you use the metrics to create a final score and qualitative rating.

Ultimately, the scores demonstrate the risk associated with each vulnerability, allowing you to delegate and prioritize accordingly. The CVSS system provides both simple and more specific metrics to choose the score based on your circumstances.

Table 1: CVSS Score and Qualitative Rating

What Is a Real-World Example of Calculating a CVSS Score?

Sometimes it’s easier to understand cybersecurity practices with real-world scenarios. So here we’ll demonstrate how to calculate your CVSS cybersecurity score.

Vulnerability Example for CVSS Evaluation

Example scenario: A blue team security analyst found an SQL injection flaw in their e-commerce website.

Vulnerability background:

• An exploit is possible through the internet without a login.
• No user interaction with internal staff is needed.
• Exploitation may permit rights to read, modify, or even delete customer records.
• If the vulnerable page is accessible, the attack will deploy without restrictions.
• No other systems appear to be infected aside from the vulnerable database.
• The exploit code is already posted publicly.

Once you have gathered all the intelligence around the vulnerability as described above, you can determine the CVSS Base metrics.

Base Metrics Example

To calculate your CVSS Base Score, plug the following information into a CVSS 4.0 calculator, like PlexTrac’s, to give you a Base Score.

Base Score = 9.9 (putting this vulnerability in the Critical category)

Now that you have a Base CVSS score, apply the threat metric to it to adjust the scoring.

Threat Metrics Example

Typically, a high value would increase the vulnerability risk score; however, in this example, the base score is already close to the max (10, critical) scoring, and the calculator left the threat score the same.

Threat Score = 9.9 (no changes remaining in the Critical category)

Next, we need to determine how the Environment will impact the Base/Threat Score.

Environmental Metrics Example

In this example, the vulnerable environment is a public website that doesn’t contain compensating controls like WAF, segmentation, or tokenization. Therefore, the Environmental Modified Base Metrics will remain unchanged from the original Base Metrics.

On the other hand, if you did deploy mitigations, such as WAF, strict input validation, encryption, or network segmentation, that would change the modified metric and lower the Environmental score.

Environmental Score = 9.9 (no changes remaining in the Critical category)

That brings us to the fourth and final CVSS metric for calculations: Supplemental Metrics.

Supplemental Metrics Example

For this example, the Supplemental metrics do not deviate from the urgent need to address the remediation efforts.

In summary, for this SQL injection flaw in the e-commerce website example, the final CVSS score would be:

• Base Score = 9.9 (Critical)
• Threat Score = 9.9 (Critical)
• Environmental Score = 9.9 (Critical)
• Supplemental = Patch Immediately (Highly automatable with high value target and high vendor urgency.)

What Are Recommended CVSS Calculators and Tools for CVSS Scoring?

Lastly, security communities and information sites, such as the MITRE Corporation’s Common Vulnerabilities and Exposures (CVE) list, provide additional information around CVSS as well as best practices for implementing CVSS effectively.

Tools that optimize CVSS scoring are solutions that add automation, threat intelligence, and artificial intelligence to support better risk prioritization. With that in mind, we highly recommend leveraging the National Vulnerability Database (NVD), a vulnerability database containing CVSS scores, along with a CVSS calculator, such as PlexTrac’s built-in CVSS score calculator.

It’s important to note which CVSS version you are using internally and which versions the CVSS calculator tools support. Our calculator assesses vulnerability severity using CVSS v4.0, but also supports earlier versions such as CVSS v3.1 to meet your needs.

Other tools to consider include Tenable Vulnerability Management (VM), which incorporates Nessus scanning capabilities but expands on them with broader exposure management, reporting, and risk prioritization features. When paired with the PlexTrac + Tenable integration, you gain comprehensive vulnerability management with contextual, risk-based prioritization, plus added functionality like scheduled auto-pulls of findings, the ability to configure multiple client-specific integrations, and data mapping for each Tenable connection.

For open-source options, OpenVAS (part of the Greenbone Vulnerability Management suite) does not generate CVSS scores independently, but instead pulls them from its associated vulnerability feeds (Greenbone Community Feed or Greenbone Enterprise Feed). These platforms can still help teams incorporate CVSS into their security practices without added licensing costs.

Lastly, security communities and information sites, such as the MITRE Corporation’s Common Vulnerabilities and Exposures (CVE) list, provide additional information around CVSS as well as best practices for implementing CVSS effectively.

Just as threats and technology advance, the CVSS has adapted and created multiple versions over the years. Each new version of CVSS addresses old security gaps and limitations from the previous one.

Here’s how the CVSS versions have changed to address the latest and greatest threats:

CVSS 2.0 (2007)

Simple and focused on exploitability and impact. However, it lacked granularity, environmental context, and consistent scoring.

CVSS 3.0 (2015)

Adjusted to reflect real-world conditions by introducing the Base, Temporal, and Environmental metric groups into 3.0. It also includes user interaction and privileges required for improved accuracy.

CVSS 3.1 (2019)

Minor refinement of 3.0, which included better definitions, guidance, and consistency on how scores are applied. This is currently one of the most widely used versions. If you’re using this version, consider using our CVSS 3.1 calculator to streamline your efforts, improve focus, and easily calculate scores.

CVSS 4.0 (2023)

With several new additions, the CVSS 4.0 specification offers greater adaptability and flexibility for organizations. Upgraded with new metric groups, Threat and Supplemental, it helps create more accurate measurements around operational technology (OT), Internet of Things (IoT), and safety-critical systems. Some of the new metrics include safety impact, value density, automatability, and recovery.

If you need a CVSS 4.0 calculator, contact us, and we’ll show you how our platform leverages the latest CVSS score calculator for your convenience.

CVSS is owned by FIRST and used by permission. This calculator is based on the official FIRST CVSS documentation.

When comparing CVSS 3.1 vs. CVSS 4.0, it comes down to addressing the shortcomings of the former version as noted in FIRST’s Common Vulnerability Scoring System Version 4.0 documentation. One of the biggest drawbacks of CVSS 3.1 was that two vulnerabilities with similar scores could have vastly different real-world impacts. Supplemental metrics in CVSS 4.0 empower security teams to make better decisions with more information regarding their prioritization workflows.2

What Are Adoption Best Practices for CVSS 4.0?

Like many technologies, moving to CVSS 4.0 has many advantages, but it comes with challenges. For example, you need to ensure your current tools support CVSS 4.0 and aren’t built around CVSS 3.1.

On top of that, you need to make sure your team is trained on the new safety metrics. Also, note that the transition from a CVSS 3.0 to a CVSS 4.0 will likely not be the same. Lastly, it may take months or even years, as we’ve seen, for software vendors and CVE Numbering Authorities (CNAs) to transition their scoring to CVSS 4.0

But when you’re ready to transition to CVSS 4.0, you’ll gain more insight into your or your client’s environment and the potential risks that may arise.

At PlexTrac, we’re fans of CVSS. It’s a great tool for evaluating vulnerabilities and their severity. But it’s not without its limits. The main limitation of CVSS is that it serves as an intent signal, rather than a true decision maker. The CVSS framework requires human intervention and expertise to truly pinpoint the greatest risks.

The Limitations of the CVSS Scoring System

CVSS falls short in these areas:

• Not a be-all, end-all solution: Nothing is “one size fits all”, except those weird bubble, popcorn shirts from the early 2000s. Those were truly magical. Anywho, the CVSS scoring doesn’t fully account for your business priorities, asset values, or your current threat models. When using the CVSS scoring methodology, think about your environment and business context.
• The manual lift can be a burden: Although automated tools and CVSS calculators can help security teams determine the final CVSS score, each vulnerability (and there are typically tons) needs to be evaluated and assigned values by humans to ensure the organization and its environment are top of mind in leading the decisions.
• Overreliance on simplification leads to danger: A final CVSS score seems simple and finite, but it may not be. A CVSS score doesn’t consider exploit chaining, business context, or the full extent of impact. It relies on you to know your environment and make those decisions. Answering the CVSS questions may seem easy, but they require accuracy. To avoid a false sense of reliance, be sure to use a multi-faceted approach to vulnerability management.
  
• Mismatched context results in mismanaged resources: Mismatched socks were cool for a minute, but mismatching in cybersecurity isn’t ever going to be popular. For example, let’s say we have a final CVSS score of 5.0 in the “Medium” category; however, if it impacts a critical system and that wasn’t recorded in the Environmental metrics, it could be a major risk to the entire business and its clients.

Don’t get us wrong, CVSS is an awesome scoring methodology, and helps many security teams. But it comes with challenges. Knowing them and working with these restrictions in mind, along with other threat exposure management tools, will set you up for success.

Looking to prioritize risk like a pro and protect like a boss? Check out our Risk Mastery Playbook.

Going alongside the CVSS limitations, there are several ways the CVSS scoring system can be misused and abused. We want to help you avoid these.

Soley Standing on Numeric CVSS Scores

CVSS scores may seem like an objective ranking, but they come down to some subjective calls as well, as you may have seen in our CVSS example above. Without existing knowledge of the environment and critical systems, the CVSS scores create a score that may not incorporate all the important factors. Security teams must carefully research the vulnerability before ranking it, and leverage additional vulnerability management tools for the most accurate risk analysis.

Basing Scores on the Base Score Alone

Earlier CVSS versions didn’t put as much emphasis on the Environmental metric, and this often leads to security teams relying mostly on the Base score. Yes, the Base score does rank a vulnerability on technical severity, but it doesn’t take your infrastructure, assets, or resources into account. Adding in Environmental metrics reevaluates scores based on your business and adds a bit more context around network exposure, asset value, and existing compensating controls.

Assuming High CVSS Scores Means High Risk

Seeing a high CVSS score immediately is going to raise red flags and alerts with any security professional. However, a high CVSS score doesn’t always mean there is a high risk for YOUR business. For example, let’s say there’s a vulnerability that the CVSS system ranks as a 9.7, but it’s not actually publicly accessible and it’s on a non-internet-exposed dev server. This makes the vulnerability less of a priority than it originally ranked. The CVSS score isn’t wrong. It just requires your business and environment knowledge to evaluate how critical a vulnerability truly is.

Believing that CVSS Is Keeping Up with the Trends

Unfortunately, CVSS does not measure exploit trends, adversary activity, or the likelihood of attack for your organization. That’s why we highly suggest integrating with threat intelligence tools and embracing continuous threat exposure management. Without these tools and added context, organizations may focus their resources and efforts on less critical vulnerabilities, leaving them more vulnerable.

Like the Labyrinth movie, you’re either a big fan of it or you’re feeling drained by the ongoing maze. The CVSS methodology has security professionals who swear by it, and others are left feeling “meh”. Truthfully, we think the difference in opinions comes down to how the CVSS system is used.

We love CVSS here at PlexTrac, but we also know it needs risk-based prioritization and business context to add true value. When we talk about business context, we mean asset criticality, likelihood of exploitation in real life (not just scenarios), and potential business impact.

To optimize CVS with risk-based vulnerability prioritization, you need to:

• Add context to CVSS
• Augment CVSS for better risk-based decisions
• Amplify your CVSS score with helpful threat management tools

When you use CVSS in conjunction with prioritization and threat exposure management tools, like PlexTrac’s solution, you’ll gain even greater insights to quickly identify your most impactful risks for better, more informed decisions. For instance, you can factor in the variables most important to your business, industry, and risk appetite to drive a more risk-based approach that measures the true impact on your business.

With a solution that lets you automatically prioritize remediation by business risk, like the one PlexTrac offers, you can quickly build fully-configurable risk scoring equations, identify and track underlying issues, automate contextual risk scoring calculations, and run remediation workflows with less manual intervention.

Whether you use government databases, commercial tools, open-source platforms, collaborative communities, or the PlexTrac platform, augmenting the CVSS system will empower better decisions and help you protect what really matters in your organization and what’s critical at that moment in time.

What Are the Best Practices for Security Teams Using CVSS? 

As security teams leverage the CVSS scoring system, they should keep these best practices in mind:

• Layer the CVSS framework with other tools and solutions as part of your tool belt.
  For the most accurate risk prioritization, you’ll want to use CVSS in conjunction with threat intelligence feeds, exploit maturity data, and asset criticality ratings.

• Work collaboratively across security teams and business leaders.
  CVSS technical severity scores shouldn’t dictate priorities. Creating and involving a diverse team of expertise from operations, finances, and even marketing will help ensure focused triage efforts are made towards the greatest threats to your organization.

• Ease the workload with automated vulnerability lifecycle management.
  Many tedious tasks within the vulnerability lifecycle management can be automated. This also applies to CVSS. You can automate processes that help add asset tags, exploitability intel, and impact scoring for a greater, in-depth risk profile and better decision making.

• Regularly review and update CVSS metrics based on environmental factors.
  CVSS 4.0 includes Environmental metrics to modify the Base score to your infrastructure and security protocols. However, this isn’t a one-and-done calculation. Threats continue to change as well as your infrastructure, technologies, team members, and so on. You will need to review them as changes occur, as well as run continuous threat monitoring for the latest threats.

Go beyond vulnerability tracking, download our Context Is Key E-Book to optimize your offensive security program.

As we move forward, risk-based scoring will continually adapt and evolve as expected. While we can’t say for sure, we do believe the future will focus on contextual scoring that includes prioritized risks based on real impact, automated workflows, and the ability to proactively identify vulnerabilities, as we’ve seen with new regulations like DORA.

With that comes continuous threat exposure management (CTEM), which embodies threat intelligence, exposure management, assessment, validation, and prioritization together to continuously improve security.

If you’re interested in moving towards the future of CTEM and contextual scoring, request a PlexTrac demo today.

You can count on PlexTrac to add context to your CVSS scoring. If you’re using CVSS to drive risk-based prioritization or want to continuously manage threats, we can help.

With PlexTrac’s powerful risk-based vulnerability management solution, you can:

• Enhance your implementation and utilization of CVSS automatically in your workflows.
• Streamline the process of assessing and recommending remediation steps with AI.
• Import all your findings and vulnerability details with our vuln scanner integrations or open API.
• Collaborate better between technical teams, executives, and clients.
• Prioritize remediation with our platforms’ actionable insights and recommendations.
• Get continuous vulnerability monitoring and use CVSS scoring in your equations for auto-updated risk scores based on real-time vulnerability updates.
• Deliver superior pentesting reports to clients with scoring and identifier tools, including a CVSS 4.0 calculator — older versions like the CVSS 3.1 calculator are also available.
• Leverage our educational resources and best practices for continuous testing and better security resilience.

To learn more about how PlexTrac’s AI-powered penetration test reporting tool and platform can help you, or see our CVSS calculators in action, request a demo.

CVSS is owned by FIRST and used by permission. This calculator is based on the official FIRST CVSS documentation.

CVSS (Common Vulnerability Scoring System) is a well-known and widely-used framework for ranking vulnerability severity. It provides clear numeric rankings from 1-10 that make it easy for security professionals, executives, clients, and partners to communicate about their biggest threats. CVSS is a great tool to have in your arsenal; however, CVSS does have limitations. CVSS scores take technical severity into consideration, but you will need to assess the likelihood of exploitation, asset criticality, and operational impact.

The Environment and Supplemental metrics do help with this, but additional tools for contextual, risk-based vulnerability management will enable a stronger, more adaptable security program. CVSS continues to evolve and is becoming a more powerful and context-aware prioritization tool, but it’s important to use a multi-tiered approach when it comes to your cybersecurity.

What Is a Good CVSS Score?

CVSS, also known as the Common Vulnerability Scoring System, ranks vulnerabilities from 0 to 10.0, with the lowest scores equating to the lowest risks.

• 0.0 = None
• 0.1–3.9 = Low
• 4.0–6.9 = Medium
• 7.0–8.9 = High
• 9.0–10.0 = Critical

As a security team defending and working to strengthen their security posture, a good score would be a low score. The closer to 0, the better. Ideally, you want fewer severe vulnerabilities. If a vulnerability score is closer to 10, it should typically be mitigated quickly to continuously lessen the CVSS score, but this depends on your business context.

How Often is CVSS Updated?

The CVSS framework is not on a set schedule for routine updates. However, FIRST continues to make updates every few years. Their most recent updates include:

• CVSS v2 in 2007
• CVSS v3 in 2015
• CVSS v3.1 in 2019
• CVSS v4.0 in 2023

When it comes to the individual CVSS scores for vulnerability rating, they are updated as new threat intelligence and exploit data are available

Should I Trust a Vendor’s CVSS Rating?

Like anything in cybersecurity, always apply a zero-trust mindset. You shouldn’t blindly trust any vendor’s CVSS rating. Instead, you should:
1. Do your research, as some vendors may lean toward lower scores to downplay risks.

2. Compare the vendor’s CVSS score with the NVD (National Vulnerability Database) rating.
3. Analyze the CVSS vector, rather than relying on the generated number.
4. Be mindful of your IT infrastructure and environment, as your risk tolerance for certain assets, exposures, and threat models may vary.

When Is a “Low” CVSS Actually High Risk?

Although a low CVSS may seem good, it can still be dangerous if the vulnerability:

• Affects high-value assets such as executive systems or financial databases.
• Is chained to other vulnerabilities that escalate potential damage.
• Pertains to the internet or any crucial systems that contain PII or impact operations.
• Has been actively exploited in the wild.

This is why it’s important to consider CVSS scoring when analyzing a vulnerability, but it should not be taken as the final word. Be sure to validate the rankings against reliable threat intelligence systems and your own environment and business knowledge.

How Do CVEs Relate to CVSS?

Those newer to cybersecurity may wonder about the differences between CVE vs CVSS and how they correlate. They are quite different. When a vulnerability is published in the Common Vulnerabilities and Exposures (CVE) database, it includes a CVE ID to identify a vulnerability. Each identity is crafted by MITRE and the CVE Numbering Authorities (CNAs) to ensure that every vulnerability is referenced consistently across tools, databases, and advisories.

Each CVE’s severity is assessed using the CVSS methodology to help organizations know how to map a CVE to CVSS and gauge the impact of the risks. If the CVE’s CVSS score isn’t included, you can use a CVSS scoring calculator, like the one provided in the PlexTrac platform.

CVSS scoring is often used because, no matter what the budget is or how well a team is staffed, you can still use this scoring method. It is free for everyone to use, and most scanners leverage it. However, there are other methodologies you can consider to meet your business needs, including:

• Stakeholder-Specific Vulnerability Categorization (SSVC)
  • SSVC is a framework developed by Carnegie Mellon’s CERT Division. SSVC focuses on decision-based contextual factors that affect an organization’s need to address vulnerabilities, including exploitation status, technical impact, automatability, exposure, and mission or business impact.
  • When comparing SSVC and CVSS, SSVC is structured like a decision tree that is highly organization-specific, whereas CVSS is a numeric score system that is more easily automated.3

• Exploit Prediction Scoring System (EPSS)
  • EPSS is a data-driven model that measures the likelihood of a vulnerability being exploited within 30 days. EPSS uses real-world threat intelligence and machine learning models to estimate exploitation probability. The EPSS score is dynamic and adapts to new data.
  • In the comparison between EPSS vs CVSS, they were both developed by FIRST to help evaluate cybersecurity vulnerabilities. However, CVSS is a severity scoring system that measures how serious a vulnerability could be if exploited from a technical perspective. Once calculated, the CVSS remains static and does not change unless the vulnerability’s underlying characteristics are updated and recalculated, and the EPSS score can continually change.4

• OWASP Risk Rating Methodology
  • A risk assessment framework developed by OWASP to help organizations understand and rank the risks in web applications. It assesses based on threat agent factors, vulnerability factors, as well as technical and business impact.
  • OWASP’s risk methodology takes a qualitative approach to measuring web application risk, whereas CVSS takes a numeric approach to software vulnerabilities that is highly standardized.5

1 Common Vulnerability Scoring System version 4.0: Specification Document 

2 Common Vulnerability Scoring System Version 4.0

3 Stakeholder-Specific Vulnerability Categorization (SSVC)

4 FIRST EPSS Version 4

5 OWASP Risk Assessment Framework

The CVSS v3 Vulnerability Scoring System

Introducing CVSS v3.1, CVE, and CWE Improvements in PlexTrac

5 Efficiency-Driving Features in PlexTrac

Actionable Purple Teaming

The Cybersecurity Report: A Case for a Dynamic Deliverable

10 Tips for Cutting Pentest Reporting Time in Half

Facing the Reality of Risk Prioritization

Reduce Risk Faster

Unlocking Continuous Threat Exposure Management: New Features for Prioritizing Remediation Based on Business Impact