Anyone in cybersecurity who has had to deal with vulnerabilities in technology systems has inevitably run into the Common Vulnerability Scoring System (CVSS). Whether or not the name is instantly recognizable, phrases determining vulnerabilities as “critical” or “high” or the like resonate across the industry. CVSS has been used to provide a standardized method to discuss the characteristics of a vulnerability and ultimately produce a numerical score to reflect its severity as well as a qualitative metric (low, medium, or high) to provide a relative gauge for organizations managing vulnerabilities in their systems and environments.
The system has existed since 2005 and achieved widespread adoption and has become the definitive vulnerability scoring system utilized by the NIST National Vulnerability Database (NVD). It has been leveraged by leading vulnerability management tooling and vendors.
CVSS is evolving in the face of criticism
Despite widespread adoption, CVSS has faced several strong critiques: Its scoring approach is complex, it’s too subjective, and it’s widely misused for vulnerability prioritization. That said, the CVSS Special Interest Group (CVSS SIG) run by the global cybersecurity forum FIRST has continued to innovate upon the CVSS framework and is on the cusp of releasing CVSS 4.0.
Set for official publication on October 1, 2023, CVSS 4.0 has begun a public preview and comment period. Understanding the update’s key aspects — what it looks to address, and some of the remaining gaps or challenges that still leave some practitioners skeptical of its use and value — is helpful in determining whether it will be a vulnerability-scoring breakthrough or a broken system that may need to be rethought.
Earlier in 2023, industry leaders Dave Dugal and Dale Rich, who co-lead the CVSS SIG, gave a talk that covered key items such as the chronology of CVSS, challenges that emerged in CVSS 3.0, and the goals of CVSS 4.0. Dugal and Rich stressed that CVSS is much more than a base score repository and emphasized that the more metrics used to enrich CVSS scoring, the higher its quality. To help alleviate the challenge of widespread use of only the CVSS base score and the underutilization of additional metrics in vulnerability calculations, CVSS 4.0 will introduce the use of new nomenclatures, such as:
- CVSS-B: CVSS Base Score
- CVSS-BT: CVSS Base + Threat Score
- CVSS-BE: Base + Environmental Score
- CVSS-BTE: CVSS Base + Threat + Environmental Score
Key CVSS changes will include new and revised nomenclature
Other key changes will include the introduction of a new base metric titled Attack Requirements (AT), an update to the User Interaction (UI) metric, and retiring the Scope (S) base metric. Most notably, the longstanding “Temporal” metric has now been renamed to “Threat”, retiring the Remediation Level (RL) and Report Confidence (RC) metrics and renaming Exploit Code Maturity to Exploit Maturity, in recognition that not all exploits are code oriented.
