The Common Vulnerability Scoring System (CVSS) is an open framework created to help incident response teams in an organization. It is used to summarize the principal characteristics of software, hardware and firmware vulnerabilities. It also allows for easy comparison of a vulnerability relative to other vulnerabilities.
As of writing, the CVSS specification is on version 3.1. It is managed by FIRST.Org, Inc. The current scoring system is based on 3 metric groups: Base, Temporal and Environmental. The final CVSS score is a value based on 15 metrics in those groups.
The Base metric groups include the Exploitability and Impact metrics subgroups. The Base scores remain constant over time and assumes worst case impact in its Environment. The Base metrics produce a score ranging from 0 to 10. It is common for only the Base metrics to be published as they are valid for any time in any environment.
The Temporal metric group includes metrics that change over time. When a vulnerability is being actively exploited, the score will go up while the release of a patch will decrease it.
Finally, the Environmental metric group includes factors that are unique to an organization’s environment, such as the importance of affected equipment and the security controls already in place. An assessment of an organization using a vulnerable product will include tailoring the CVSS scores to be accurate to the environment and the maturity of exploits and mitigations.
In the following posts we will be diving deeper into the scoring and metrics of these groups.