Common Vulnerability Scoring System

From The Secure Arc Wiki

Jump to: navigation, search

Information in italics below is referenced from wikipedia, reproduced in accordance with the GNU Free Documentation License.

Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of computer system security vulnerabilities. It attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized. The score is based on a series of measurements (called metrics) based on expert assessment.

Each aspect of the standard can be broken down further into more specific sub-requirements that can be mapped back to both the Security Principles that drive them and the Design Patterns that satisfy them.


The CVSS assessment has three types of metrics:

  • Base: represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments.
  • Temporal: represents the characteristics of a vulnerability that change over time but not among user environments.
  • Environmental: represents the characteristics of a vulnerability that are relevant and unique to a particular user's environment.

  • Base Metrics

1. Is the vulnerability exploitable remotely (as opposed to only locally).

2. How complex must an attack be to exploit the vulnerability?

3. Is authentication required to attack?

4. Does the vulnerabilty expose confidential data?

5. Can attacking the vulnerability damage the integrity of the system?

6. Does it impact availability of the system?

  • Temporal Metrics

1. How complex (or how long will it take) to exploit the vulnerability.

2. How hard (or how long) will it take to remediate the vulnerability.

3. How certain is the vulnerability's existence.

  • Environmental Metrics

1. Potential to cause collateral damage.

2. How many systems (or how much of a system) does the vulnerability impact.

3. Security Requirement(CIA)

Licensing and Documentation

The guide to CVSS can be downloaded from the following link


Personal tools