What is CVSS and how should security teams use it?

Introduction

CVSS (Common Vulnerability Scoring System) assigns a score from 0 to 10 to software vulnerabilities to help security teams prioritize remediation. It summarizes exploitability and potential impact into a single, comparable number.

FAQ

1. What is CVSS?

CVSS is a standardized framework that produces numeric vulnerability scores between 0.0 and 10.0 to indicate severity. Teams use it to triage and compare vulnerabilities across systems.

2. How are CVSS scores calculated?

Scores come from three metric groups: Base, Temporal, and Environmental. Base captures intrinsic properties; Temporal reflects public exploit availability and fixes; Environmental adjusts for your organization’s context.

3. What do CVSS score ranges mean?

Scores map to severity bands: 0.0 = None, 0.1–3.9 = Low, 4.0–6.9 = Medium, 7.0–8.9 = High, 9.0–10.0 = Critical. Higher values indicate greater urgency for remediation.

4. What are Base metrics?

Base metrics describe an issue’s technical characteristics that don’t change across environments. They include attack vector, attack complexity, privileges required, user interaction, and impact on confidentiality, integrity, and availability.

5. What are Temporal metrics?

Temporal metrics capture factors that change over time, such as exploit code maturity, availability of fixes, and confidence in the report. They help adjust the base score to current real-world conditions.

6. What are Environmental metrics?

Environmental metrics let you tailor scores to your environment by factoring in asset criticality and existing mitigations. That means a vulnerability can be reprioritized if it affects a low-value or isolated asset.

7. Which CVSS version should I use?

Use the most current version your tools support—today that’s typically CVSS v3.1 or v4.0. Scores can differ between versions, so track which version you used when prioritizing fixes.

8. What are CVE and CVSS and how do they relate?

CVE is an identifier for a specific vulnerability; CVSS is the scoring method that rates that vulnerability’s severity. Think of CVE as a name tag and CVSS as the danger rating attached to it.

9. What are CVSS’s limitations?

CVSS provides a consistent starting point but can’t capture all business context or active exploit trends. It won’t tell you if attackers are currently exploiting an issue, so combine CVSS with threat intel and exploit prediction systems.

10. How should teams use CVSS in triage?

Begin with the Base score for initial sorting, then refine with Temporal and Environmental metrics. Cross-check scores against asset criticality, business impact, and current exploit activity to set remediation windows.

11. Can automated scanners rely solely on CVSS?

No—automated scans can flag many issues, but CVSS alone won’t capture context or compensating controls. Use human review for high-value assets and validate scanner findings before blocking change windows.

12. How do I handle differing scores from different sources?

Confirm which CVSS version and metric assumptions each source used, then normalize scores before comparing. If discrepancies remain, prioritize based on your environment and available exploit data.

Quick Takeaways

• CVSS scores range 0.0–10.0 to standardize vulnerability severity.
• Base, Temporal, and Environmental metrics together shape the final score.
• Use CVSS for triage, not as the only decision factor.
• CVSS versions differ—record the version used in your workflow.
• Combine CVSS with threat intelligence and asset criticality for effective prioritization.

Additional Resources

For tooling and guidance on scoring and prioritization, check Palisade’s resources: Palisade vulnerability scoring tools.

FAQs

Q: Does CVSS measure exploit probability?

A: Not directly—CVSS estimates exploitability but does not predict whether an exploit will be used in the wild. Combine CVSS with exploit prediction feeds for likelihood assessments.

Q: How often should I recalculate Environmental scores?

A: Update Environmental metrics anytime asset criticality or controls change, and after major configuration updates. Regular reassessment ensures priorities reflect current risk.

Q: Are there tools that automate CVSS calculations?

A: Yes, many vulnerability management platforms calculate CVSS automatically from vulnerability records and allow manual adjustments for environmental factors.

Q: Should low CVSS scores be ignored?

A: No—low scores can still be relevant on sensitive systems or when chained with other issues. Evaluate low-scoring findings against asset importance and compensating controls.

Q: How do CVSS and EPSS complement each other?

A: CVSS rates technical severity; EPSS estimates exploit likelihood. Using both gives a fuller picture of risk and helps prioritize fixes more effectively.