The Common Vulnerability Scoring System (CVSS) is an open framework used by organizations across the world to determine the severity of cybersecurity vulnerabilities. These scores provide a valuable common benchmark for cybersecurity teams, who use CVSS scoring as part of their vulnerability management programs. However, CVSS base scoring is not without significant limitations, which we will address below.
What is CVSS?
Cybersecurity teams benefit from universal frameworks or benchmarks they can use to evaluate and compare threats and risks. One of the most popular such frameworks is CVSS scoring, a vulnerability rating method used to determine the severity of cyber vulnerabilities and help guide the order in which they should be addressed.
The CVSS framework was launched in 2005, based on research done by the National Infrastructure Advisory Council (NIAC). Shortly after creating the first version of the vulnerability rating framework, NIAC selected the Forum of Incident Response and Security Teams (FIRST) to be the custodian of the CVSS framework. In subsequent years, CVSS has been updated multiple times to improve the utility of the framework.
How to Calculate CVSS Score
CVSS scores are calculated using a variety of metrics. The CVSS score range is between 0 and 10, with 10 representing the most severe, with 7 to 8.9 representing “high” severity and 9 to 10 representing “severe.” In addition to the widely used base scores, other scores exist that account for a variety of more complex factors.
In addition to base scores, CVSS factors include temporal and environmental metrics.
- Base metrics are used to measure qualities intrinsic to a vulnerability (meaning they do not change over time). Base metrics also have three subscore elements: exploitability, impact and scope.
- Temporal metrics are used to measure characteristics that evolve over the lifetime of a vulnerability. These measure the current state of exploitability and the availability of remediation tools (such as patches).
- Environmental metrics are used to measure vulnerabilities that are dependent on a specific implementation or environment. Organizations can modify the measurements of base CVSS metrics depending on the mitigations they currently have or the value of assets.
Since its creation, CVSS scoring has become deeply entrenched within the realm of cybersecurity, and is considered the primary or default manner in which to gauge the severity of a vulnerability by many organizations, including the National Vulnerability Database, the Open Source Vulnerability Database and the CERT Coordination Center.
Yet CVSS scoring also has some significant limitations.
The Limitations of the CVSS Framework
CVSS base scores only represent the severity of a vulnerability. They do not consider the risk that severity poses to your specific environment or provide a true cyber risk score. Without that key risk context, it is possible to prioritize vulnerability remediation effectively. While some vulnerabilities may be severely critical in a broad sense, they may not pose any risk at all to your specific security environment.
Base CVSS scores are publicly available and easy to access through a number of major databases. As a result they are often the first place some security teams look when it is time to prioritize and patch. However, relying on these base scores in a vacuum is often a serious mistake, as they do not provide key risk context, account for real world exploits or consider the availability of mitigations.
Proceeding without this information may cause a VM team to waste precious time focusing on vulnerabilities that pose no threat, instead of devoting their resources toward addressing the much smaller number of exposures that pose the greatest risk to business-critical assets.