At SecureSphere, we have been asked what CVSS is and what the score of 0 – 10 means.
So, we thought this might help answer some of those questions.
CVSS stands for the Common Vulnerability Scoring System. It’s a way to evaluate and rank reported vulnerabilities in a standardized and repeatable way. The goal of CVSS is to help compare vulnerabilities in different applications – and from different vendors – in a standardized, repeatable, vendor agnostic approach.
The SANS Institute has a very good write up on how the CVSS system works. See: https://www.sans.org/blog/what-is-cvss/
To make a long story / article short, basically the CVSS system scores a vulnerability from 0 – 10 using the following levels:
0 – None
0.1 to 3.9 – Low
4.0 to 6.9 – Medium
7.0 to 8.9 – High
9.0 to 10.0 – Critical
The following is taken into account to generate the score:
- Attack Vector
- Attack Complexity
- Privileges Required
- User Interaction
- Scope
- Confidentiality
- Integrity
- Availability
While CVSS is an important tool for determining which vulnerabilities to remediate first, it’s only one piece of a much larger vulnerability management puzzle. Organizations should use multiple sources of information to assess and prioritize vulnerabilities, not just CVSS scores.
By using the CVSS score in conjunction with other information, you can make better informed decisions about which vulnerabilities to address and in what order.
Thanks to the SANS Institute for the well written article the above has been taken from.