CVSS Scoring

Learn CVSS scoring and how it’s used to assess the severity of vulnerabilities.

We'll cover the following

Common Vulnerability Scoring System (CVSS)

The Common Vulnerability Scoring System (CVSS), is a standardized system designed to provide an open framework for communicating the characteristics and impacts of IT vulnerabilities. Simply put, a CVSS score tells us how dangerous a discovered vulnerability is. The higher the score, the more dangerous the discovered vulnerability is.

CVSS scoring is structured around three metric groups:

  • Base score: This score captures the intrinsic qualities of a vulnerability. Elements considered include:

    • Attack vector (AV): This describes how the vulnerability is exploited (e.g., over the network or locally).

    • Attack complexity (AC): This indicates how complex it is to exploit the vulnerability.

    • User interaction (UI): This specifies if user interaction is needed to exploit the vulnerability.

    • Scope (S): This determines if the exploit will affect other resources beyond the vulnerable component.

    • Confidentiality, integrity, and availability impact (C/I/A): These detail how the vulnerability affects the integrity, availability, and confidentiality of the system’s data and functionality.

  • Temporal score: This score varies over time and considers the following:

    • Exploitability (E): This describes how mature the exploit for the vulnerability is.

    • Remediation level (RL): This describes the availability of fixes.

    • Report confidence (RC): This indicates the degree of confidence in the existence of the vulnerability and its attributes.

  • Environmental score: This score tailors the CVSS vector to specific environments, capturing the vulnerability’s severity in a particular organization or system.

Interpreting CVSS scores

Vulnerabilities are scored on a scale from 0 to 10:

  • 0.0: No risk

  • 0.1–3.9: Low severity

  • 4.0–6.9: Medium severity

  • 7.0–8.9: High severity

  • 9.0–10.0: Critical severity

What is CVE?

Common Vulnerabilities and Exposures (CVE), is a standard identifier for publicly known vulnerabilities. CVE entries are used in various cybersecurity products and services from around the world.

Get hands-on with 1400+ tech skills courses.