CVSS (Common Vulnerability Scoring System)

The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of security vulnerabilities in software. Operated by the Forum of Incident Response and Security Teams (FIRST), the CVSS uses an algorithm to determine three severity rating scores: Base, Temporal and Environmental. The scores are numeric; they range from 0.0 through 10.0 with 10.0 being the most severe.

The Base score is the metric most relied upon by enterprises and deals with the inherent qualities of a vulnerability. The Temporal scores represent the qualities of the vulnerability that change over time, and the Environmental score represents the qualities of the vulnerability that are specific to the affected user's environment. According to the most recent version of the CVSS, v3.0, a score of 0.0 receives a "None" rating; a 0.1-3.9 score gets a "Low" severity rating; a score of 4.0-6.9 is a "Medium" rating; score of 7.0-8.9 is a "High" rating; and a score of 9.0 - 10.0 is a "Critical" rating.

The CVSS allows organizations to prioritize which vulnerabilities to fix first and gauge the impact of the vulnerabilities on their systems. Many organizations use the CVSS, and the National Vulnerability Database provides scores for most known vulnerabilities. According to the NVD, a CVSS base score of 0.0-3.9 is considered "Low" severity; a base CVSS score of 4.0-6.9 is "Medium" severity; and base score of 7.0-10.0 is "High" severity.

The CVSS was introduced in 2005 by the National Infrastructure Advisory Council (NIAC), which turned over management and development of the standard to FIRST. The current version, CVSS 3.0, was introduced in June of 2015. As a free and open standard, several vendors such as Oracle have customized their own versions of the CVSS.