Category: Vulnerability Management
Common Vulnerability Scoring System
Also known as: CVSS, CVSS scoring, vulnerability severity scoring
Simply put
CVSS is a standardized, open framework for rating the severity of security vulnerabilities in computing systems. It assigns each vulnerability a numerical score that represents how severe the flaw is, helping organizations understand and prioritize their response. The score is intended to measure severity, not overall risk.
Formal definition
CVSS is an open, vendor-neutral framework that produces a composite numerical score representing the severity of a security vulnerability based on a defined set of scoring criteria. Per NVD guidance, CVSS provides a qualitative measure of severity and is explicitly not a measure of risk. The scoring system evaluates characteristics intrinsic to the vulnerability itself, and the resulting score is intended to be consistent across organizations as a baseline severity indicator. CVSS scores are widely used by vulnerability databases such as the NVD to communicate flaw severity, though practitioners should note that severity scores do not account for contextual factors such as asset criticality, threat intelligence, or compensating controls, which are necessary inputs for actual risk determination.
Why it matters
Security teams routinely face more vulnerabilities than they can remediate in any given cycle, making prioritization one of the most consequential decisions in vulnerability management. CVSS provides a consistent, vendor-neutral numerical baseline that allows practitioners to compare the inherent severity of disparate vulnerabilities across different systems and software components. Without a shared scoring framework, organizations would rely on inconsistent vendor advisories or informal assessments, making cross-team and cross-organization coordination significantly harder.
Who it's relevant to
Security and Vulnerability Management Teams
Practitioners responsible for tracking and remediating vulnerabilities use CVSS scores as a starting point for triage. Teams should understand that CVSS reflects inherent severity and typically needs to be supplemented with contextual data, including asset exposure and threat intelligence, to produce a meaningful prioritization order.
Application Security Engineers
Engineers evaluating vulnerabilities in application dependencies or code-level flaws encounter CVSS scores in scanner output and vulnerability databases. Understanding the score's scope boundaries helps engineers avoid over-prioritizing theoretical high-severity issues in low-exposure contexts, or under-prioritizing lower-scored vulnerabilities that may be highly exploitable in their specific environment.
Risk and Compliance Practitioners
Compliance frameworks and risk programs often reference CVSS thresholds to define remediation SLAs or reporting requirements. Practitioners should note that because CVSS is explicitly not a measure of risk per NVD guidance, using it as a sole risk indicator in formal risk assessments requires qualification and supplementation with organization-specific context.
Software Vendors and Product Security Teams
Vendors issuing security advisories commonly publish CVSS scores alongside CVE identifiers to communicate the severity of flaws in their products. Consistent use of CVSS enables customers and downstream consumers to compare and respond to disclosed vulnerabilities using a shared reference point.
DevSecOps and Platform Engineering Teams
Teams integrating vulnerability scanning into CI/CD pipelines often configure CVSS score thresholds to gate builds or trigger alerts. Understanding that CVSS scores reflect severity at the code or configuration level, without runtime or deployment context, helps teams calibrate thresholds to reduce both false urgency and missed critical issues in production environments.
Inside CVSS
Base Score
A numeric score from 0.0 to 10.0 representing the intrinsic characteristics of a vulnerability that are constant across user environments, derived from Base metrics such as Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality Impact, Integrity Impact, and Availability Impact.
Temporal Score
An optional score that adjusts the Base Score to reflect characteristics of a vulnerability that may change over time, such as exploit code maturity, remediation level, and report confidence.
Environmental Score
An optional score that allows organizations to customize the CVSS score based on the importance of the affected asset and existing security controls within their specific environment, incorporating Modified Base metrics and security requirements.
Attack Vector (AV)
A Base metric indicating the context by which vulnerability exploitation is possible, with values typically including Network, Adjacent, Local, and Physical, reflecting how remotely an attacker can exploit the vulnerability.
Attack Complexity (AC)
A Base metric describing the conditions beyond the attacker's control that must exist in order to exploit the vulnerability, rated as Low or High.
Privileges Required (PR)
A Base metric capturing the level of privileges an attacker must possess before successfully exploiting the vulnerability, rated as None, Low, or High.
User Interaction (UI)
A Base metric reflecting whether exploitation requires action from a user other than the attacker, rated as None or Required.
Scope (S)
A Base metric indicating whether a successful exploit can affect components beyond the vulnerable component's authorization scope, rated as Unchanged or Changed.
Impact Metrics (C/I/A)
Three Base metrics assessing the degree of impact to Confidentiality, Integrity, and Availability of the affected component, each rated as None, Low, or High.
Qualitative Severity Rating Scale
A labeling system that maps numeric CVSS scores to descriptive severity bands, typically None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0), intended to aid prioritization communication.
Vector String
A compact, machine-readable representation of all metric values used to calculate a CVSS score, allowing scores to be reproduced and audited by other parties.
Common questions
Answers to the questions practitioners most commonly ask about CVSS.
Does a high CVSS base score mean a vulnerability is an immediate, critical priority for my organization?
Not necessarily. The CVSS base score reflects the intrinsic characteristics of a vulnerability in isolation, without accounting for your specific environment. A vulnerability with a base score of 9.8 may pose minimal actual risk if the affected component is not deployed in your environment, is isolated from potential attackers, or has compensating controls in place. Organizations should use temporal and environmental score adjustments, along with threat intelligence and asset context, to determine actual remediation priority rather than relying on the base score alone.
Is CVSS a measure of risk?
No. CVSS is a measure of severity, not risk. The base score captures the technical characteristics of a vulnerability, such as attack vector, complexity, and potential impact, but does not incorporate the likelihood of exploitation in a given context, the value of affected assets, or the effectiveness of existing controls. Risk requires combining severity with probability and business context, which CVSS base scores are not designed to express on their own. The environmental and threat metrics can bring scores closer to a risk-informed view, but CVSS is not a substitute for a formal risk assessment.
How should my organization use CVSS scores in a vulnerability management program?
CVSS scores are most useful as one input among several in a vulnerability management workflow. Organizations typically use the base score as an initial triage filter, then refine prioritization using environmental scores adjusted for asset criticality and existing controls, temporal scores that reflect exploit availability and remediation status, and supplemental threat intelligence indicating active exploitation in the wild. Treating CVSS scores as the sole prioritization mechanism tends to produce backlogs dominated by high-severity findings that carry low actual risk in the specific environment.
What is the difference between the CVSS base score, temporal score, and environmental score, and which should I use?
The base score represents the inherent severity of a vulnerability based on its technical characteristics, independent of time or deployment context. The temporal score adjusts the base score to reflect factors that change over time, such as whether a public exploit exists or whether an official fix is available. The environmental score further adjusts the temporal score to reflect the specific characteristics of your environment, including the presence of compensating controls and the criticality of affected assets. For operational prioritization, the environmental score is the most contextually accurate, though it requires the most effort to maintain. Many organizations use the base score for initial intake and apply environmental adjustments for assets classified as high criticality.
How does CVSS version 4.0 differ from version 3.1 in practice?
CVSS version 4.0 introduced several structural changes compared to version 3.1. It added a new supplemental metric group for contextual attributes such as safety impact and automatability. It refined the base metrics to improve granularity in areas like attack complexity and privileges required. It also reorganized the scoring nomenclature to make explicit which metric groups are contributing to a given score. In practice, scores for the same vulnerability may differ between versions, so organizations should be consistent in which version they apply and be cautious when comparing scores across sources that may use different versions.
Can CVSS scores from the NVD be used directly, or do they require review before use?
NVD-published CVSS scores provide a widely used reference point but should be reviewed before direct operational use. NVD scores are assigned based on publicly available information and may not reflect the full technical context of a vulnerability, particularly for complex or ambiguous cases. Scores are sometimes updated as additional information becomes available, and there can be meaningful delays between disclosure and NVD publication. Additionally, NVD base scores do not reflect your environment, so applying them without environmental adjustment may not accurately represent actual exposure. Many organizations supplement NVD scores with scores published by the originating vendor or with internally assigned environmental adjustments.
Common misconceptions
A high CVSS Base Score means a vulnerability is an immediate high priority for every organization.
The Base Score reflects intrinsic vulnerability characteristics without accounting for the specific environment, asset criticality, or existing compensating controls. Organizations should apply Temporal and Environmental scoring, along with threat intelligence and asset context, to arrive at a priority that is meaningful for their situation. A 9.8 vulnerability in an isolated, non-internet-facing system may warrant lower urgency than a 7.0 vulnerability in a critical public-facing service.
CVSS measures the risk posed by a vulnerability.
CVSS measures the severity of a vulnerability based on its intrinsic and, optionally, contextual characteristics. It does not directly measure risk, which also incorporates threat likelihood, threat actor activity, asset value, and business impact. CVSS is one input into a risk assessment, not a risk score itself.
CVSS scores are objective and universally consistent across all sources.
CVSS scoring involves analyst judgment in selecting metric values, and different analysts or vendors may assign different scores to the same vulnerability. Scores published by NVD, vendors, and researchers for the same CVE may differ, and consumers should review the vector string and rationale rather than relying solely on the numeric score.
Best practices
Always review the full CVSS vector string rather than relying solely on the numeric score or severity label, as the vector string reveals the specific metric values and assumptions underlying the score.
Apply Environmental Score adjustments to account for asset criticality and existing security controls in your environment, since Base Scores do not reflect compensating controls or the relative importance of affected systems.
Use CVSS scores as one input into a broader prioritization process that incorporates threat intelligence, exploitability in the wild, asset exposure, and business impact rather than treating the Base Score as a standalone remediation priority.
Track Temporal Score metrics, particularly exploit code maturity and remediation level, as these change over time and can significantly affect the practical urgency of addressing a vulnerability.
When consuming CVSS scores from multiple sources such as NVD, vendor advisories, and security scanners, compare vector strings across sources and investigate discrepancies, since differing analyst interpretations may affect your prioritization decisions.
Educate stakeholders that CVSS severity ratings are not risk ratings, and establish internal guidance on how CVSS scores map to your organization's remediation SLAs only in combination with contextual factors such as exposure and asset classification.