Overview
CVSS provides a numerical score reflecting the severity of a vulnerability. This score helps organizations prioritize their remediation efforts. The system is maintained by FIRST (Forum of Incident Response and Security Teams).
The Three Metric Groups
- Base Score: Represents the intrinsic qualities of a vulnerability (e.g., attack vector, complexity, impact on CIA).
- Temporal Score: Reflects the current state of the vulnerability (e.g., is there a public exploit? is there a patch?).
- Environmental Score: Allows organizations to customize the score based on their specific environment and the importance of the affected asset.
Severity Levels
- Low: 0.1 - 3.9
- Medium: 4.0 - 6.9
- High: 7.0 - 8.9
- Critical: 9.0 - 10.0