The IT Law Wiki
The IT Law Wiki

Overview[]

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. The CVSS was originally commissioned by the National Infrastructure Advisory Council in support of the global Vulnerability Disclosure Framework to solve the problem of multiple incompatible vulnerability scoring systems. Since its inception and adoption by the Forum of Incident Response and Security Teams (FIRST), an upgraded version of CVSS is now commonly used.

CVSS consists of three groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0.0 to 10.0, and a vector (a compressed textual representation that reflects the values used to derive the score).

  • Base Metrics: The base metrics use the characteristics of the vulnerability that are constant with time and user environments. These variables include the access vector, access complexity, and authentication. They also take into consideration the vulnerabilities' impact to confidentiality, integrity, and availability. ICS-CERT recommends that control systems owners and operators customize the CVSS score by providing, when possible, temporal metrics as described below.
  • Temporal Metrics: The temporal metrics capture the threat of the vulnerability at a certain point in time. This metric is optional and will not affect the base score if not included.
  • Environmental Metrics: The final part of the CVSS score are the environmental metrics. These metrics take into account the unique environment to which the vulnerability affects such as the effect on an individual organization. This metric is also optional and may be excluded without bearing to the score if applied generically. ICS-CERT recommends that control systems owners and operators customize the CVSS score to their local environment by completing the environmental metrics.

CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors and researchers to all benefit by adopting this common language of scoring IT vulnerabilities.

How it works[]

The CVSS is used by ICS-CERT in vulnerability advisories. The CVSS base score is a ranking of the severity of the vulnerability on a scale of 0-10. Version 2 was released in June 2007 to address issues such as inconsistencies in scoring methods.

A number of CVSS score calculators are available online. Almost all vulnerabilities listed in the National Vulnerability Database (NVD) are associated with a corresponding CVSS base score to rank severity.

Sources[]

  • ICS-CERT Monitor 2-3 (Oct./Nov./Dec. 2012) (full-text).
  • NIST, The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems (NIST Interagency Report 7435) (Aug. 2007) (full-text).