cancel
Showing results for 
Search instead for 
Did you mean: 

What is CVSS (Common Vulnerability Scoring System)?

What is CVSS (Common Vulnerability Scoring System)?

Summary

This article provides a brief introduction to the official CVSS (Common Vulnerability Scoring System). 

Synopsis

CVSS is an industry-wide method used to objectively measure and communicate the severity of a security vulnerability. There are similar scoring systems, but CVSS is the most widely used.

 

Discussion

A CVSS score ranges from the most severe 10.0 to the least severe 0.0. Every security vulnerability scored with CVSS has at least has a "base score". There are optional additional scores that can be blended with the base score to create an "overall score".
 
For example, the CVE-2013-2251 security vulnerability has a CVSS base score of 9.3; that is, very severe. It is likely that the community of users for software containing a security vulnerability with a 9.3 CVSS base score will demand that the software's author resolve the vulnerability in a very short time frame.
 
The CVSS score is calculated by the person or entity that publicly discloses the security vulnerability. To date, even security vulnerabilities in Flexera products have been scored by someone else. However, it is possible that Flexera will score its own vulnerabilities in the future. A CVSS score can change over time as more information about the vulnerability is learned.
 
The database at http://www.nvd.nist.gov catalogs each CVE number and its CVSS score(s) for all publicly disclosed security vulnerabilities. Here is an example of entry in the NVD that shows a CVE number and its CVSS score(s): http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2251.

See this knowledge base article for the definition of a CVE number: CVE (Common Vulnerabilities and Exposures).

See http://www.first.org/cvss/cvss-guide for a complete definition of the CVSS system.
Was this article helpful? Yes No
No ratings