CVSSwhich stands for Common Vulnerability Scoring Systemis a standardised system for assessing the severity of a disease. vulnerabilities IT.
It assigns a numerical score between 0 and 10, reflecting the criticality of a vulnerability and enabling corrective action to be prioritised. This system is maintained by FIRST (Forum of Incident Response and Security Teams). Created in 2005 by the National Infrastructure Advisory Council (NIAC), it aims to provide a universal and reproducible method for measuring and comparing the criticality of vulnerabilities in information systems.
Versions and upgrades
Since its creation, the CVSS has undergone several updates to meet the growing need for precision and adaptability. The current version, CVSS v4.0published in November 2023, will improve the granularity of scores and incorporate more user feedback.
🎯 What is the purpose of the CVSS?
- Rapid, standardised assessment : The CVSS score provides an immediate, standardised overview of how dangerous a vulnerability is, making it easier to compare different vulnerabilities.
- Prioritising corrections : it enables vulnerabilities to be prioritised according to their potential impact, optimising the allocation of resources for remediation.
- Effective communication : the CVSS provides a common, objective language for communication between technical teams, management teams, suppliers and customers, avoiding subjective interpretations.
- Process automation : Vulnerability management tools can use CVSS scores to automate a variety of tasks, such as generating reports, sorting alerts, quarantining vulnerable systems or triggering emergency procedures. remediation.
- Risk management : By quantifying the severity of vulnerabilities, the CVSS helps organisations to assess their overall level of risk and make informed security decisions.
How it works
How it worksThe CVSS assesses a vulnerability according to three groups of metrics:
- Base : intrinsic characteristics of the vulnerability (complexity of exploitation, privileges required, etc.).
- Time : factors that evolve over time (existence of a public exploit, ease of obtaining an operating code, etc.).
- Environmental : specific context of the organisation (value of assets, complexity of mitigation, etc.).
Each metric is associated with a sub-score, and the sum of these sub-scores gives the final CVSS score.
🌡 The different levels of severity according to the CVSS
- Review (9.0-10.0): very serious vulnerability, requiring immediate action.
- High (7.0-8.9) : significant vulnerability, requiring rapid attention.
- Average (4.0-6.9) : moderate vulnerability, to be treated within a reasonable timeframe.
- Low (0.1-3.9) : minor vulnerability, which can be dealt with in the longer term.
The limits of the CVSS
Although the CVSS is a valuable tool, it has certain limitations:
- Subjectivity: Some elements of the score calculation may be subjective, depending on the interpretation of the metrics.
- Generalisation: The CVSS provides a general assessment, but does not take into account all the specific aspects of a given environment.
- Evolving threats: Threats evolve rapidly, and the CVSS may not always reflect the latest trends.
📊 Statistics and figures
- According to a recent study, approximately 85 % of organisations use CVSS as their main vulnerability assessment method.
- In France and abroad, more than 90 % of reported critical vulnerabilities receive a score of more than 7underlining their importance in proactive risk management.
