CVSS is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities.

There are a number of other vulnerability scoring systems managed by both commercial and non-commercial organizations (CWE for instance). They each have their merits, but they differ by what they measure.

CVSS consists of 3 groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10, and a Vector, a compressed textual representation that reflects the values used to derive the score.

The base metric groups:

  1. Base Metrics

1.1. Access Vector (AV)

1.2. Access Complexity (AC)

1.3. Authentication (Au)

1.4. Confidentiality Impact (C)

1.5. Integrity Impact (I)

1.6 Availability Impact (A)

  1. Temporal Metrics

2.1. Exploitability (E)

2.2. Remediation Level (RL)

2.3. Report Confidence (RC)

  1. Environmental Metrics

3.1. Collateral Damage Potential (CDP)

3.2. Target Distribution (TD)

3.3. Security Requirements (CR, IR, AR)

For additional information on CVSS:


tags: & category: -