History:
CVSS stands for Common Vulnerability Scoring System and was developed by the NIAC (National Infrastructure Advisory Council) in 2003 and 2004. The first version of CVSS, known as CVSSv1 was released in 2005 being designed to provide a universal standard for severity ratings of software vulnerabilities. The same year FIRST (Forum of Incident Response and Security Teams) took over CVSS and would continue to develop it.
Those using CVSSv1 provided feedback to FIRST and provided suggestions that led to the development of CVSSv2 being developed in April 2005 (2 months after the initial release of CVSSv1). The official launch of CVSSv2 was in June of 2007. Further feedback led to the development of CVSSv3 beginning in 2012 with the full update being released in June 2015.
Current Version Terminology
Base: represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments. Base Metrics include:
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Confidentiality Impact
Integrity Impact
Availability Impact
Scope
Temporal: represents the characteristics of a vulnerability that change over time but not among user environments. Temporal Metrics include:
Exploit Code Maturity
Remediation Level
Report Confidence
Environmental: represents the characteristics of a vulnerability that are relevant and unique to a particular user's environment. Environmental Metrics include:
Modified Base Metrics
Confidentiality Requirement
Integrity Requirement
Availability Requirement
How A CVSS Score is Obtained
Why is CVSS Important?
CVSS provides a comprehensive framework for assessing vulnerabilities. The scoring system is widely used and has many applications. CVSS's most important aspect is that it provides a unified standard for all interested parties. When mitigating risks, standardization is imperative.
CVSS scores go beyond simple standardization. Security teams and product developers can use these scores to prioritize their efforts to improve security. Teams of security experts can efficiently allocate limited resources within organizations using CVSS scores.
Monitoring capabilities, time devoted to patching, or even threat hunting to assess whether a vulnerability has already been exploited are part of these resources. This is especially useful for small teams that may lack the resources to address every vulnerability.
Researchers can also utilize CVSS scores to assess security. In addition to highlighting particularly vulnerable components, these scores can also indicate tactics and tools that are particularly effective. As a result, researchers can develop new security practices and tools to detect and eliminate threats as soon as possible.
Finally, CVSS scores provide developers and testers with valuable information that can help prevent vulnerabilities in the first place. Understanding vulnerabilities with high CVSS scores can be used to prioritize testing. These scores can also reveal areas where code security best practices can be improved. Teams can learn from others' mistakes instead of waiting until their own products are discovered to be vulnerable.