Common Vulnerability Scoring System (CVSS)

Fundamental

“The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.”

The FIRST CVSS SIG gathers feedback to improve the CVSS.

CVSS provides a simple estimate of a vulnerability’s severity from a few principal characteristics. However, the ultimate importance to an organization of some software vulnerability depends on many details of exactly how the software is used; no simple system like CVSS can fully capture this. Many find CVSS helpful (since there are many known vulnerabilities). However, do not assume that a vulnerability with a critical severity is always truly critical to your organization, and do not assume that a vulnerability with medium severity always less important to your organization.

Source: https://www.first.org/cvss/

Last modified March 21, 2025: Add CVSS (009aa37)