Will CVSS v3 change everything? Understanding the new glossary

The Common Vulnerability Scoring System (CVSS) enables organizations to use a common language when dealing with vulnerability threats. Since its initial release in 2003, CVSS has been implemented by many organizations. 

Today, CVSS standards are used by many major vulnerability databases, including government databases like the National Vulnerability Database (NVD). However, the CVSS of 2003 is not the same as the one used today. This article reviews the most recent changes introduced in the latest version of CVSS.

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is a standardized framework for rating known vulnerabilities in components. It was developed by the US National Infrastructure Advisory Council in 2003 and has been maintained by Forum of Incident Response and Security Teams (FIRST) since 2005. 

This framework is designed to help security professionals quantify the threat associated with a given vulnerability, prioritize work and help create a common language of threat categories. CVSS scores are used by most major vulnerability databases and information sources as a way to help security professionals filter threats.

What’s new in CVSS 3

CVSS 3.1 is the most recently released version of the framework. It was released in 2019 as a partial update of version three to improve upon and clarify the standards, but it did not add additional metrics. This is part of an ongoing effort to make CVSS more accessible and easier to use. 

For example, when the 3.0 specification document was released, it was accompanied by a user guide and a document containing examples. These resources help ensure that the standards are being used correctly. This was not done for other versions. 

Despite changes to make the standard more user-friendly, understanding how to implement CVSS v3 can still be a challenge. There are several changes you should (Read more...)