What Is The Common Vulnerability Scoring System (CVSS)
Vulnerabilities are flaws in an organization's internal controls, information systems, or processes that cybercriminals can exploit to steal corporate data and cause harm.
Organizations need to identify, prioritize, and remediate these vulnerabilities as soon as possible.
CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It produces a numerical score to rank vulnerabilities based on their severity. Organizations can prioritize their vulnerabilities based on whether the CVSS score risk is low, medium, or high
The non-profit Forum of Incident Response and Security Teams (FIRST) owns and manages CVSS. Many organizations have adopted CVSS, including the United States Department of Homeland Security, the United States Computer Emergency Response Team, Amazon, Cisco, HP, Huawei, IBM, McAfee, Oracle, Qualys, and SAP.
CVSS v2 vs. CVSS v3: What Is the Difference?
The National Infrastructure Assurance Council (NIAC) first introduced CVSS in 2005, and In 2007, released CVSS v2 to better reflect the wide range of vulnerabilities.
CVSS v3 was introduced in June 2015, introducing scoring changes to reflect how to discover real-world vulnerabilities more accurately. CVSS v3.1 was released in 2019, clarifying that CVSS v3.1 measures a vulnerability's severity, not its risk.
CVSS Score Metrics
Organizations calculate CVSS scores based on metrics categorized into three groups from which different scores are derived.
These metric groups include:
Base Metrics
The Base Metric Group represents a vulnerability's inherent characteristics, i.e., those that don't change over time or across different user environments. Organizations use the corresponding CVSS Base Score as a key metric of vulnerabilities' severity. It allows them to gauge the vulnerabilities' impacts on their systems and prioritize which to patch first.
The Base Metric Group contains several metrics that together create a CVSS Base Score. These metrics are:
- Exploitability Metrics: Exploitability indicates how easily a malicious actor can exploit a vulnerability and defines four specific exploitation metrics:
- The attack vector defines the level of physical or network access a cybercriminal needs for exploitation
- The attack complexity refers to the conditions that allow a cybercriminal to exploit a vulnerability.
- The privilege required is the system privilege level needed to exploit a vulnerability.
- The user interaction indicates if a user needs to do anything, e.g., install an application that enables the cybercriminal to exploit a vulnerability.
- Impact Metrics: Impact focuses on what a cybercriminal can achieve by exploiting a vulnerability and breaks down into three metrics:
- Confidentiality refers to the accessible volume of data a cybercriminal has after infiltrating a system. Vulnerabilities that expose system-wide data stores rank higher than those that expose local and siloed resources.
- Integrity focuses on whether the protected data was tampered with or altered.
- Availability centers on the ability to deny service to users and their data.
- Scope Metrics: Scope is whether a vulnerability in one system or component affects another system or component.
The base metrics produce a score between zero (the lowest amount of risk) and ten (the highest amount of risk). Organizations can modify the base metrics by scoring the temporal and environmental metrics.
Temporal Metrics
Temporal metrics change over time, measuring a vulnerability's current state and the availability of patches. The three metrics in this group are: exploit code maturity, remediation level, and report confidence.
- Exploit code maturity measures how difficult it is for a cybercriminal to exploit a vulnerability.
- Remediation level gauges whether there's a patch or workaround to mitigate the vulnerability.
- Report confidence measures how confident sources are that a vulnerability exists and that it is exploitable.
Environmental Metrics
Environmental metrics allow organizations to modify the base CVSS metrics based on specific business factors that might increase or decrease a vulnerability's severity. Environmental metrics consist of modified base CVSS metrics and security requirements:
- Modified base metrics: Organizations may modify the values of the base metrics by implementing compensating controls or mitigation measures to reduce the chances a cybercriminal will exploit a vulnerability.
- Security requirements describe and score an asset based on its importance to the organization measured in confidentiality, integrity, and availability.
- Confidentiality is the ability to hide data from unauthorized users.
- Integrity is the ability to secure data from being changed from the original.
- Availability is how accessible the data is to authorized users as needed. The more critical the asset, the higher the score.
CVSS vs CVE
CVSS and CVE are complementary standards but not directly related.
- Common Vulnerabilities and Exposures (CVE) catalogs publicly-disclosed security vulnerabilities and exposures with unique identifiers. The CVE program provides common identifiers for publicly known flaws, not severity scoring or prioritization ratings for vulnerabilities.
- CVSS scores are given to each CVE to indicate its severity. This is done by the National Vulnerability Database, a US government database of standards-based vulnerability data,.
Limitations of CVSS
It is important to realize that publicly available CVSS scores do not include the full CVSS metric. They only reflect the Base Score. This is a generic metric that measures how dangerous a vulnerability is, but does not quantify the specific risk it poses to your company.
If you run a vulnerability scan, chances are you will find a large number of vulnerabilities, many of them with high CVSS Base Score. The question is - which of these can really result in a damaging security breach in your specific context?
Understanding the impact within your environment requires the other elements of the CVSS metric - Temporal and Environmental Factors. Adding these factors requires in-depth knowledge of your organization, its technology stack, and the specific risks it is facing. So it is important to complement raw CVSS scores with additional insights derived from threat modeling and a risk-based analysis of your IT environment.
How Can HackerOne Help?
Work with HackerOne and our hacker community, the world’s largest and most diverse, to help your organization find and remediate vulnerabilities faster. HackerOne uses CVSS, the industry-standard scoring system, to determine the severity of vulnerabilities. Our HackerOne Platform delivers comprehensive continuous security testing that reduces cyber risk and decreases attack surfaces to stop exploits before they happen. Contact us to learn more.
The 7th Annual Hacker-Powered Security Report