The Forum of Incident Response and Security Teams (FIRST) is a non-profit organization that aims to help computer security incident response teams across the world. FIRST is also the owner and manager of the Common Vulnerability Scoring System (CVSS), which is an open framework for communicating the characteristics and severity of software vulnerabilities1.
CVSS provides a standardized way to measure and compare the impact of different vulnerabilities, based on various technical factors, such as how easy they are to exploit, how much damage they can cause, and how difficult they are to fix. CVSS also allows users to customize the scores according to their specific environment and threat landscape, by taking into account additional metrics, such as the availability of exploits, the value of the affected assets, and the effectiveness of the existing security controls2.
CVSS has been evolving since its first version in 2004, with major updates in 2007 (v2.0) and 2015 (v3.0). The latest version, CVSS v4.0, was officially released on November 1, 2023, after a public preview and comment period that started on June 8, 20231. CVSS v4.0 introduces several changes and improvements over the previous version, with the goal of making it more accurate, transparent, and applicable to a wider range of vulnerabilities2.
Some of the main features of CVSS v4.0 are:
- Reinforcing the concept that CVSS is not just the Base score, but also includes Threat and Environmental metrics that can modify the score according to the current and specific situation of a vulnerability1. CVSS v4.0 also introduces new nomenclature to identify different combinations of these metrics groups: CVSS-B for Base score only, CVSS-BT for Base + Threat score, CVSS-BE for Base + Environmental score, and CVSS-BTE for Base + Threat + Environmental score2.
- Providing finer granularity through the addition of new Base metrics and values, such as Attack Requirements (AT), which indicates whether an attacker needs physical access, network access, or local access to exploit a vulnerability; User Interaction (UI), which distinguishes between passive and active user involvement in triggering a vulnerability; and Vulnerable System (VC, VI, VA) and Subsequent System (SC, SI, SA), which separately assess the impact of a vulnerability on the system where it exists and on other systems that are affected by it2.
- Enhancing the disclosure of impact metrics by retiring the Scope metric from CVSS v3.0, which was often confusing and ambiguous, and replacing it with explicit assessment of impact to Vulnerable System and Subsequent System2.
- Simplifying the Threat metrics by removing Remediation Level (RL) and Report Confidence (RC), which were often subjective and inconsistent, and focusing only on Exploit Maturity (E), which reflects the availability and reliability of exploits for a vulnerability2.
- Introducing a new Supplemental metric group to convey additional extrinsic attributes of a vulnerability that do not affect the final CVSS-BTE score, but can provide useful information for prioritization and remediation decisions. These attributes include Safety (S), which indicates whether a vulnerability can cause physical harm or loss of life; Automatable (A), which indicates whether a vulnerability can be exploited by automated tools or scripts; Recovery ®, which indicates whether a system can recover from a successful exploitation; Value Density (V), which indicates how much sensitive or valuable data is stored or processed by a system; Vulnerability Response Effort (RE), which indicates how much effort is required to fix or mitigate a vulnerability; and Provider Urgency (U), which indicates how quickly a provider is expected to release a patch or update for a vulnerability2.
- Increasing the focus on operational technology (OT), industrial control systems (ICS), and safety-critical systems by allowing consumers to assess the safety impact of a vulnerability on their own environment through MSI:S and MSA:S environmental metrics; and by allowing providers to indicate the safety impact of a vulnerability on their products through S supplemental metric2.
CVSS v4.0 aims to provide a more comprehensive and flexible framework for assessing software vulnerabilities’ severity in different contexts and scenarios. It also strives to improve the clarity and consistency of its definitions and calculations, as well as its documentation and guidance. CVSS v4.0 is expected to be widely adopted by security researchers, vendors, organizations, and users as a common language for describing and comparing vulnerabilities’ characteristics and risks2.