Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) is a published standard that uses the Common Vulnerabilities and Exposure|CVE List and other sources to produce a numerical score that reflects a vulnerability’s severity. CVSS is used by organizations and services around the globe to prioritize vulnerabilities and assess their vulnerability management processes.
CVSS is an excellent example of how the standardized, publicly available CVE List is leveraged by another service to add value to vulnerability management programs. To promote its integration with other products and services, the CVE List is available in a number of human- and machine-readable formats.
The goal of CVSS is to help you compare vulnerabilities in different applications – and from different vendors - in a standardized, repeatable, vendor agnostic approach.
CVSS generates a score from 0 to 10 based on the severity of the vulnerability. A score of 0 means the vulnerability is less significant than the highest vulnerability with a score of 10, if you're only using CVSS.
By using CVSS to prioritize vulnerabilities, you can focus on the most critical ones first and reduce the overall risk to your organization.
CVSS values have been grouped as well into the rankings that you may have seen, of Critical, High, Medium, and Low.
The CVSS score combines a lot of factors to be able to generate a score. Those factors are:
- Attack Vector
- Attack Complexity
- Privileges Required
- User Interaction
- Scope
- Confidentiality
- Integrity
- Availability