What is Common Vulnerability Scoring System CVSS?

Understanding Common Vulnerability Scoring System CVSS

Common Vulnerability Scoring System (CVSS) standardizes how to rate the severity of software flaws, enabling organizations to prioritize fixes consistently. A numerical score (0–10) derived from Base metrics (attack vector, complexity, privileges required, user interaction, scope, and confidentiality/integrity/availability impacts), Temporal metrics (exploit maturity, remediation level), and Environmental metrics (specific business impact) captures how exploitable and damaging a vulnerability can be. Version 3.1 refined earlier scoring rubrics to handle scope changes (e.g., container escapes). Limitations include not factoring in real-time threat intelligence unless you adjust the Temporal or Environmental metrics, and ignoring business context beyond broad categories. Despite these drawbacks, CVSS remains widely used in security bulletins and vulnerability management dashboards. Mature teams supplement raw CVSS with additional factors like exploit availability, asset criticality, or compensating controls to triage effectively. Scores help unify communication across IT teams, compliance auditors, and leadership, but they aren’t a sole decision-maker. CVSS fosters a common language around severity and encourages consistent patch prioritization methods across multi-vendor environments.