Vulnerability Management

CVSS (Common Vulnerability Scoring System)

An open framework for communicating the characteristics and severity of software vulnerabilities, producing a numerical score from 0.0 to 10.0 and an associated severity rating.

CVSS produces a base score reflecting intrinsic characteristics of a vulnerability — attack vector, attack complexity, privileges required, user interaction, scope, and impact on confidentiality/integrity/availability. CVSS 3.1 is the current widely-used version; CVSS 4.0 was published in 2023 but adoption remains partial.

Severity ratings: 0.0 = None; 0.1-3.9 = Low; 4.0-6.9 = Medium; 7.0-8.9 = High; 9.0-10.0 = Critical.

CVSS is widely used in compliance reporting (PCI-DSS, SOC 2) and vulnerability management programmes. It has known limitations: the base score does not reflect exploitability in the wild, business context, or compensating controls. CISA's Known Exploited Vulnerabilities (KEV) catalogue, EPSS (Exploit Prediction Scoring System), and threat intelligence-driven prioritisation address these gaps.

← Back to Glossary