The Forum of Incident Response and Security Teams (FIRST) has recently announced the release of CVSS v4.0, the latest version of the Common Vulnerability Scoring System (CVSS) standard. This update comes more than eight years after the release of CVSS v3.0 in June 2015.
Version 4.0 of CVSS aims to improve vulnerability assessment for both industry and the public, according to FIRST.
CVSS is used to measure the severity of security vulnerabilities. It assigns a numerical score to each vulnerability, which can be translated into levels like low, medium, high, and critical. This helps organizations prioritize their vulnerability management.
In July 2019, an important update was made to CVSS v3.1. It highlighted that CVSS is meant to gauge the seriousness of a vulnerability and should not be the sole factor in evaluating risk.
CVSS v3.1 has received criticism for its scoring scale and for not properly representing health, human safety, and industrial control systems.
The new standard has added extra metrics to assess vulnerabilities. These metrics include Safety (S), Automatable (A), Recovery (R), Value Density (V), Vulnerability Response Effort (RE), and Provider Urgency (U).
It introduces new names for scoring CVSS. The new names are Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE).
“The recommended approach is to emphasize that CVSS encompasses more than just the Base score, and this terminology should be employed whenever a numerical CVSS value is presented or conveyed.”
“The CVSS Base Score should be considered in conjunction with the analysis of the environment and attributes that may change over time.”