Scores are calculated based on a formula with several metrics that approximate ease and impact of an exploit.
[2] Research by the National Infrastructure Advisory Council (NIAC) in 2003/2004 led to the launch of CVSS version 1 (CVSSv1) in February 2005,[3] with the goal of being "designed to provide open and universally standard severity ratings of software vulnerabilities".
In April 2005, NIAC selected the Forum of Incident Response and Security Teams (FIRST) to become the custodian of CVSS for future development.
[4][5] Feedback from vendors using CVSSv1 in production suggested there were "significant issues with the initial draft of CVSS".
Work on CVSS version 2 (CVSSv2) began in April 2005 with the final specification being launched in June 2007.
[6] Further feedback resulted in work beginning on CVSS version 3[7] in 2012, ending with CVSSv3.0 being released in June 2015.
[8][3] The CVSS assessment measures three areas of concern: A numerical score is generated for each of these metric groups.
The access complexity (AC) metric describes how easy or difficult it is to exploit the discovered vulnerability.
For locally exploitable vulnerabilities, this value should only be set to Single or Multiple if further authentication is required after initial access.
Attacks that consume network bandwidth, processor cycles, memory, or any other resources affect the availability of a system.
A buffer overflow vulnerability affects web server software that allows a remote user to gain partial control of the system, including the ability to cause it to shut down: This would give an exploitability sub-score of 10, and an impact sub-score of 8.5, giving an overall base score of 9.0.
The value of temporal metrics change over the lifetime of the vulnerability, as exploits are developed, disclosed and automated and as mitigations and fixes are made available.
As it is not possible to be confident that every affected system has been fixed or patched, the temporal score cannot reduce below a certain level based on the vendor's actions, and may increase if an automated exploit for the vulnerability is developed.
The target distribution (TD) metric measures the proportion of vulnerable systems in the environment.
Three further metrics assess the specific security requirements for confidentiality (CR), integrity (IR) and availability (AR), allowing the environmental score to be fine-tuned according to the users' environment.
[10] The authors cited a lack of granularity in several metrics, which results in CVSS vectors and scores that do not properly distinguish vulnerabilities of different type and risk profiles.
The CVSS scoring system was also noted as requiring too much knowledge of the exact impact of the vulnerability.
Oracle introduced the new metric value of "Partial+" for Confidentiality, Integrity, and Availability, to fill perceived gaps in the description between Partial and Complete in the official CVSS specifications.
The numerical formulas were updated to incorporate the new metrics while retaining the existing scoring range of 0-10.
PR can take the values None, Low, or High; similarly, attacks requiring fewer privileges are more severe.
The Base vector also saw the introduction of the new Scope (S) metric, which was designed to make clear which vulnerabilities may be exploited and then used to attack other parts of a system or network.
These new metrics allow the Base vector to more clearly express the type of vulnerability being evaluated.
The Confidentiality, Integrity, and Availability (C, I, A) metrics were updated to have scores consisting of None, Low, or High, rather than the None, Partial, and Complete of CVSSv2.
The Environmental metrics of CVSSv2 were completely removed and replaced with essentially a second Base score, known as the Modified vector.
The Modified Base is intended to reflect differences within an organization or company compared to the world as a whole.
In a blog post in September 2015, the CERT Coordination Center discussed limitations of CVSSv2 and CVSSv3.0 for use in scoring vulnerabilities in emerging technology systems such as the Internet of Things.
FIRST has used input from industry subject-matter experts to continue to enhance and refine CVSS to be more and more applicable to the vulnerabilities, products, and platforms being developed over the past 15 years and beyond.
The primary goal of CVSS is to provide a deterministic and repeatable way to score the severity of a vulnerability across many different constituencies, allowing consumers of CVSS to use this score as input to a larger decision matrix of risk, remediation, and mitigation specific to their particular environment and risk tolerance.
The additional metrics allow industry sectors such as privacy, safety, automotive, healthcare, etc., to score factors that are outside the core CVSS standard.
This results in the vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:L Versions of CVSS have been adopted as the primary method for quantifying the severity of vulnerabilities by a wide range of organizations and companies, including: