CVSS stands for The Common Vulnerability Scoring System and is a vendor agnostic, industry open standard designed to convey vulnerability severity and help determine urgency and priority of response. It solves the problem of multiple, incompatible scoring systems and is usable and understandable by anyone.

CVSS was commissioned by the National Infrastructure Advisory Council (NIAC) tasked in support of the global Vulnerability Disclosure Framework. It is currently maintained by FIRST (Forum of Incident Response and Security Teams) http://www.first.org/. CVSS was a joint effort involving many groups including: Since the original release of CVSS, additional groups have joined the CVSS effort and assisted in developing version 2 of CVSS. The current list of major participants is available at www.

The CVSS model is designed to provide the end user with an overall composite score representing the severity and risk of a vulnerability. It is derived from metrics and formulas. The metrics are in three distinct categories that can be quantitatively or qualitatively measured. Base Metrics contain qualities that are intrinsic to any given vulnerability that do not change over time or in different environments.

There are many sources of CVSS scores. Several major sources of CVSS scores are posted at http://www.first.org/cvss/scores.html.

CVSS is a framework that you can use to develop an application suitable to your needs, your environment or your customers. There is no established code as of yet. However, there are several CVSS calculators available; a listing of some calculators is posted at http://www.first.org/cvss/scores.html.

The current version of CVSS is version 2. It was finalized and released to the public in June 2007. This FAQ addresses CVSS version 2 only, although there are many similarities between versions 1 and 2. Information on CVSS version 1 is available from the NIAC Paper on CVSS at http://www.first.org/cvss/cvss-dhs-12-02-04.pdf.

Where can I get more information on CVSS?A: You can get more information at FIRST, the current custodian for CVSS at http://www.first.org/cvss. Documentation on CVSS metrics, formulas, and scoring is available at http://www.first.org/cvss/cvss-guide.html.

An open framework that can be used, understood, and improved upon by anybody to score vulnerabilities.

A: You can get more information at FIRST, the current custodian for CVSS at http://www.first.org/cvss/. Documentation on CVSS metrics, formulas, and scoring is available a http://www.first.org/cvss/cvss-guide.html.

Other systems are closed competing standards, do not offer a mutable scoring framework, and do not consider different environments.

The CVSS scores within NVD can be used to prioritize how an organization handles vulnerabilities. For example, vulnerabilities with scores of 7 and greater should be addressed with great rapidity (possibly through an expedited change management process) while vulnerabilities with scores of less than 3 can usually be addressed through one's regular patching process.

Critical - vulnerability on a system that is easily accessible, require little or no authentication, and will provide the ability to; access confidential information, corrupt/delete data, or create a system outage. A score between 8 and 10 on the CVSS scoring system Examples: No password on CIFS Administrator Account, Anonymous users can obtain the Windows password policy.