New CVSS Vulnerability Severity Scorecard

Earlier this month, the Forum of Incident Response and Security Teams (FIRST) released the latest generation of the Common Vulnerability Scoring System (CVSS), CVSS 4.0.

Among the numerous changes made, the revised standard offers the following improvements:

  • Finer granularity in base metrics for consumers
  • Removal of downstream scoring ambiguity
  • Simplification of threat metrics
  • More effective way to assess environment-specific security requirements and compensating controls

FIRST added supplemental metrics for vulnerability assessment, including automatable (wormable), recovery (resilience), value density, vulnerability response effort and provider urgency. In addition, the CVSS has expanded its applicability to vulnerabilities in operation technology, industrial control systems and Internet of Things devices, with safety metrics and values added to both the supplemental and environmental metric groups.

FIRST Formed in Response to the Rise of Worms

The FIRST was formed in 1990 in response to the emergence of “worms” that shut down parts of the internet. Since then, the organization has evolved in response to the changing needs of the incident response and security teams and their constituencies.

The CVSS, developed by FIRST in 2005, assesses and communicates the severity of security vulnerabilities in software and hardware. Evaluating vulnerabilities based on their impact and exploitability provides a standardized way to prioritize them. The CVSS helps organizations and security professionals address and mitigate vulnerabilities through a strategic approach.

CVSS scores vulnerabilities on a scale of 0 to 10, with 10 being the most serious. In this way, organizations can first tackle vulnerabilities that pose the most significant risk to their systems and data.

Cybersecurity professionals, system administrators and organizations can use CVSS to effectively assess and manage security vulnerabilities.

“The CVSS system has rapidly developed over the past 18 years, with each version building on our capabilities to defend from cyber criminality. I am immensely proud of the CVSS-SIG for the hard work and dedication it has taken to produce version 4.0. And it is timely as we continue to see a significant rise in threats across the world,” said FIRST CEO Chris Gibson.

New capabilities make this release a significant step forward for teams, with threat intelligence and environmental metrics crucial for accurate scoring.

New CVSS Nomenclature

FIRST also adopted a new CVSS nomenclature in version 4.0:

  • CVSS-B: CVSS Base Score
  • CVSS-BT: CVSS Base + Threat Score
  • CVSS-BE: CVSS Base + Environmental Score
  • CVSS-BTE: CVSS Base + Threat + Environmental Score

To make the internet safe for everyone, worldwide collaboration is more important than ever, and standards like CVSS 4.0 are essential for the private and public sectors alike, Gibson concluded.

MBL Technologies provides comprehensive cybersecurity services for long-term, sustainable solutions that address every facet of the evolving threat landscape, including mitigating cybersecurity vulnerabilities. We help boost your cybersecurity posture and implement cybersecurity best practices for your organization. Contact us today to learn more.

Learn more about our diverse set of technology services for the federal and commercial markets.