First Announcing CVSS 4.0 – The New Vulnerability Scoring System

The Forum of Incident Response and Security Teams (FIRST) has officially announced CVSS v4.0, the next generation of the Common Vulnerability Scoring System standard, more than eight years after the release of CVSS v3.0 in June 2015.

“This latest version of CVSS 4.0 seeks to provide the highest reliability of vulnerability assessments for both industry and the public,” First said in a statement.

CVSS essentially provides a way to capture the key technical characteristics of a security vulnerability and generate a numerical score reflecting its severity. The score can be translated into different levels such as low, medium, high and critical to help organizations prioritize their vulnerability management processes.

One of the core updates to CVSS v3.1, released in July 2019, was to emphasize and clarify that “CVSS is designed to measure the severity of a vulnerability and should not be used alone to assess risk.”

CVSS v3.1 has also attracted criticism for a general lack of granularity in the scoring scale and for failing to adequately represent health, human safety and industrial control systems.

The latest revision to the standard aims to address some of these shortcomings by providing several supplemental metrics for vulnerability assessment, such as Safety (S), Automatable (A), Recovery (R), Value Density (V), Vulnerability Response Effort (RE ), and Provider Urgency (U).

It also debuts a new nomenclature to enumerate CVSS scores using a combination of Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE) severity ratings.

The idea is to “reinforce the concept that CVSS is not just a base score,” First said, adding that “this nomenclature should be used wherever numerical CVSS values are displayed or communicated.”

It states, “The CVSS base score should be complemented with analysis of the environment (environmental metrics) and characteristics that may change over time (threat metrics).

Related posts

Security expert turns out to be a scammer, used Apple’s bug to rob the company of $2.5 million

US cyber security agency warns that Ivanti EPMM vulnerability is being actively exploited

PAX PoS terminal flaw could allow attackers to tamper with transactions

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More