The Common Vulnerability Scoring System (CVSS) is increasingly indispensable in the security of organizations, where they can prioritize vulnerabilities according to CVSS score risk (low, medium or high).

Vulnerabilities are always the order of the day in company software, as attackers can dig into the theft of important data and even cause damage.

Organizations should have a process in place to identify vulnerabilities and remediate them as soon as possible.

CVSS (Common Vulnerability Scoring System)

Common Vulnerability Scoring System (CVSS) is a type of public support aimed at assessing the severity of software security vulnerabilities. CVSS performs a numerical scoring to classify vulnerabilities according to their severity. Thus, if the score is high, vulnerability remediation can be prioritized.


And now comes the question, how is it used? With CVSS, scores are calculated through metrics that are grouped into three, called Base, Temporal and Environmental. Below, let’s break down the concepts of each.

Base metric group

It is the metric that shows the characteristics that are maintained over time of a vulnerability. This metric is one of the most widely used in organizations, which measure the impact of vulnerabilities and allow them to prioritize them.

To ascertain the severity of vulnerability from this metric, we should note that the score is based on zero to ten (from least risky to most risky).

Within the base metric group, we find several other metrics that encompass it to perform the CVSS base score:

Exploitation metrics: indicates the accessibility with which you will be able to exploit the vulnerability found. This in turn identifies four exploitation metrics:

  • Attack Vector
  • Attack Complexity
  • Privileges Required
  • User Interaction

Impact metrics: measures the impact generated by the attacker through the exploitation of the vulnerability. This is also divided into three metrics:

  • Confidentiality Impact
  • Integrity Impact
  • Availability Impact

Scope metrics: analyzes whether the vulnerability found in one system affects a different system.

On the other hand, organizations can modify the base metrics through the scoring of temporal and environmental metrics.

Temporal metric group

This metric does change over time, so it measures the current state of vulnerability at the time. This is also divided into three different metrics:

Exploit Code Maturity: measures the difficulty for the attacker to exploit the vulnerability.

Remedation level: analyzes the availability of a solution to the vulnerability.

Report Confidence: measures the assurance given by sources about the existence of the vulnerability.

Environmental metric group

Organizations have the option to modify the base CVSS metrics through this metric under business factors that may impair the severity of vulnerability. Environmental metrics are divided into:

Modified Base Metrics: as explained above, organizations can modify the base metrics through corrective measures in order to reduce the possibility of an attacker reaching the vulnerability and subsequently exploiting it.

Confidentiality Requirements: this is measured on the basis of confidentiality, integrity and availability, the organization’s asset qualification.

CVSS score for severity rating

The use of this system in organizations has helped security teams to assess the vulnerabilities of the company’s systems. This is done because CVSS is an open system and, therefore, the organization has full access to the factors that perform the scoring.

The CVSS scores serve to be able to identify the risk or severity contained in the vulnerabilities found in the organization, in order to prioritize the vulnerabilities to be mitigated first. Based on the FIRST CVSS score, it would look like this:


Difference between CVSS and CVE

CVE (Common Vulnerabilities and Exposures) is a unique identifier for each vulnerability, without severity scores and prioritization ratings for vulnerabilities. CVEs are identified as a list of concrete security vulnerabilities assigned with a CVE identification number.

Rather than a difference, we can say that CVSS complements CVE. CVSS provides the severity rating for each CVE of security vulnerabilities found in organizations’ software.