LLMpediaThe first transparent, open encyclopedia generated by LLMs

CVSS

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Dependabot Hop 4
Expansion Funnel Raw 86 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted86
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
CVSS
CVSS
FIRST (Forum of Incident Response and Security Teams) · CC BY-SA 4.0 · source
NameCVSS
DeveloperFIRST
Released2005
Latest release version3.1
GenreVulnerability scoring
LicenseOpen standard

CVSS The Common Vulnerability Scoring System provides a standardized framework for assessing the severity of security vulnerabilities. It aims to enable consistent communication among FIRST, US-CERT, NIST, MITRE, and vendors such as Microsoft, Google, Oracle and Red Hat about risk prioritization. CVSS integrates with tools and standards including CVE, NVD, SCAP, ISO/IEC 27001 and PCI DSS to support incident response, patch management, and compliance workflows.

Overview

CVSS defines quantitative scores to express the relative severity of software flaws so that entities like US-CERT, Cisco Systems, IBM, Symantec and Trend Micro can prioritize remediation. The framework separates technical characteristics evaluated by analysts from contextual considerations relevant to organizations such as DHS, ENISA and NCSC. Implementations appear in vulnerability databases maintained by NVD, MITRE, and security products from Tenable, Qualys, Rapid7 and McAfee. Governance and updates have involved stakeholder outreach to vendors, researchers from Google Project Zero, academic groups at CMU and practitioners at SANS Institute.

History and Versions

CVSS originated in the mid-2000s through coordination among FIRST, MITRE and government entities including US-CERT and NIST. Early adoption by CVE coordinators and database operators such as NVD led to iterative revisions; notable versions include CVSS v1, CVSS v2 and CVSS v3.0, with subsequent refinement to CVSS v3.1. Each revision responded to critiques from stakeholders including researchers at University of Cambridge, MIT, and consultancy firms like Accenture and Deloitte. Standardization efforts intersected with international bodies such as ISO and influenced regulatory guidance from agencies like FINRA and SEC in the context of disclosure obligations.

Scoring Methodology

The methodology produces a numerical score typically between 0.0 and 10.0 to summarize exploit severity, influenced by factors studied in publications from ACM, IEEE, and security conferences like Black Hat and DEF CON. Scoring combines base metrics, temporal metrics, and environmental metrics, allowing organizations such as Bank of America, JPMorgan Chase, AWS and GCP to adjust scores for operational context. CVSS scoring is referenced in guidance from ENISA, CERT-EU, and procurement standards used by European Commission teams. Calculation examples are taught in training from SANS Institute, GIAC, and university courses at Stanford University and Harvard University.

Metric Groups

CVSS groups metrics into Base, Temporal, and Environmental categories mirroring taxonomies used by ISO/IEC 27002, NIST SP 800-53 and control frameworks like COBIT and NIST Cybersecurity Framework. Base metrics capture exploitability and impact elements cited in research by RAND Corporation and MITRE. Temporal metrics reflect exploit maturity and remediation level discussed in advisories from US-CERT, CERT/CC and vendors such as IBM X-Force. Environmental metrics enable customization to assets and business impact as practiced by Deloitte, KPMG, PwC and corporate risk teams at Siemens, General Electric and Siemens AG subsidiaries.

Adoption and Use

Wide adoption has occurred across public and private sectors: national CERTs including US-CERT, CERT-EU and JPCERT/CC publish CVSS values; vendors such as Microsoft, Apple Inc., Adobe Systems and Cisco Systems annotate advisories with scores. Cloud providers like AWS, Microsoft Azure, and Google Cloud Platform integrate scores into vulnerability dashboards used by customers including Facebook, Netflix, Uber Technologies and Airbnb. Regulatory and compliance regimes—from PCI SSC to sectoral regulators like FINRA—reference CVSS-informed prioritization in guidance for incident handling and reporting.

Criticisms and Limitations

Critics from academia (e.g., researchers at University of Oxford and Georgia Institute of Technology) and industry consultants at McKinsey & Company and Booz Allen Hamilton have highlighted limitations: score granularity, inconsistent vendor assignments, and challenges in capturing business context for organizations like HSBC or Deutsche Bank. Analysts at OWASP and papers presented at Usenix Security argue CVSS can misrepresent real-world exploitability compared with telemetry from Mandiant and CrowdStrike. Proposals for alternatives or supplements have involved projects at MITRE, discussions in FIRST working groups, and input from standards bodies such as IETF and ISO. Persistent issues include scorer subjectivity, differing mappings across databases like NVD and vendor advisories, and limited incorporation of exploit weaponization data from threat intelligence vendors such as Recorded Future and Anomali.

Category:Computer security