LLMpediaThe first transparent, open encyclopedia generated by LLMs

Common Vulnerability Scoring System

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Tornado IDS Hop 4
Expansion Funnel Raw 91 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted91
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Common Vulnerability Scoring System
Common Vulnerability Scoring System
FIRST (Forum of Incident Response and Security Teams) · CC BY-SA 4.0 · source
NameCommon Vulnerability Scoring System
AbbreviationCVSS
DeveloperForum of Incident Response and Security Teams
Initial release2005
Latest release3.1
LicenseOpen

Common Vulnerability Scoring System is an open framework for assessing the severity of computer security vulnerabilities using a standardized numerical score. Designed to enable consistent prioritization across disparate National Institute of Standards and Technology, Department of Homeland Security, European Union Agency for Cybersecurity, United Nations, and private sector programs, the system informs mitigation planning for Microsoft Corporation, Google LLC, Oracle Corporation, Amazon (company), and other large vendors. The scoring framework integrates inputs from incident response teams such as CERT Coordination Center, US-CERT, and regional organizations like FIRST to produce reproducible ratings adopted by regulators including Securities and Exchange Commission and procurement offices in institutions like the World Bank.

Overview

The framework defines a quantitative method for converting qualitative vulnerability characteristics into a single score used by administrators at IBM, Cisco Systems, Hewlett-Packard Enterprise, Siemens AG, and General Electric for risk prioritization. Scores are applied in workflows established by agencies such as the Federal Communications Commission and standards bodies including International Organization for Standardization and Internet Engineering Task Force. The methodology supports integration with ticketing systems used by Atlassian and ServiceNow, and feeds threat intelligence platforms maintained by vendors like CrowdStrike and FireEye.

History and Development

The framework originated in collaborative efforts among security researchers from organizations including CERT Coordination Center, SANS Institute, MITRE Corporation, and national teams such as US-CERT and CERT-EU. Early drafts were debated at conferences hosted by RSA Conference and Black Hat, and influenced by scoring practices from entities like Common Vulnerabilities and Exposures and exploitation analyses from Metasploit Project. Governance evolved under the stewardship of FIRST and input from corporate stakeholders like Red Hat and Canonical (company), with formal milestones announced at gatherings such as DEF CON and meetings of the Internet Engineering Task Force.

Scoring Metrics and Components

The model decomposes vulnerability characteristics into base, temporal, and environmental groups used by security teams at Bank of America, JPMorgan Chase, Barclays, and Goldman Sachs to assess exposure. Base metrics capture intrinsic traits recognized by practitioners at Microsoft, Apple Inc., Adobe Systems, and Samsung Electronics including attack vector, complexity, and impact on confidentiality, integrity, and availability — concepts applied in compliance reviews by Financial Services Authority and Office of the Comptroller of the Currency. Temporal metrics reflect exploit code maturity and remediation level, referenced by intelligence units like NATO Cooperative Cyber Defence Centre of Excellence, while environmental metrics account for asset criticality and countermeasures used by infrastructure operators such as Siemens AG and Schneider Electric.

Versioning and Revisions

Significant revisions were published to address ambiguities identified by contributors from MITRE Corporation, National Institute of Standards and Technology, European Network and Information Security Agency, and vendors including Mozilla Corporation and Canonical (company). Major versions were discussed at industry events like RSA Conference and published with input from academics at Massachusetts Institute of Technology, Stanford University, University of Cambridge, and ETH Zurich. Iterative releases responded to feedback from incident responders at CERT Coordination Center and regulatory stakeholders such as European Commission.

Implementations and Tools

Multiple vendors and open source projects implemented the scoring model in scanners and dashboards produced by Tenable, Inc., Qualys, Rapid7, and community tools like OpenVAS and Nmap. Integration layers exist for orchestration platforms by Ansible (software), Puppet (software), and Chef (software), and reporting plugins connect to SIEM offerings from Splunk and IBM QRadar. Academic prototypes from Carnegie Mellon University and University of California, Berkeley extended the model for research, while commercial risk management suites from McAfee and Symantec provide enterprise workflow support.

Criticisms and Limitations

Critiques arose from researchers at University of Oxford, Harvard University, and Princeton University about granularity and context insensitivity, prompting debate in venues like Black Hat and journals such as those produced by IEEE. Analysts from Gartner and Forrester Research noted variability when mapping real-world exploitability, and auditors at Ernst & Young and KPMG highlighted inconsistencies in environmental scoring across asset inventories used by firms like PwC and Deloitte. Limitations include reliance on reported attributes rather than dynamic telemetry, a concern raised by teams at CrowdStrike and Mandiant.

Applications and Impact

Organizations across sectors — financial institutions like JPMorgan Chase and Citigroup, technology firms like Google LLC and Microsoft Corporation, healthcare providers associated with Mayo Clinic and Johns Hopkins Hospital, and energy operators such as BP and ExxonMobil — use the scoring framework to prioritize patching and allocate resources. Policymakers at European Commission and US Department of Homeland Security cite the framework when drafting cyber resilience guidance, while standards groups such as ISO and NIST reference the methodology in guidance documents. The model influenced vulnerability disclosure practices at projects like Linux kernel and WordPress, and continues to shape procurement criteria for critical infrastructure contracts awarded by agencies including United Nations Development Programme.

Category:Computer security