Common vulnerability scoring system (CVSS) is a free and open industry standard for rating the vulnerabilities in a computer system by assigning a score to each of them based on metrics that determines the urgency of response. It has been created for creating a global framework for disclosing information about security vulnerabilities.
It is under the custodianship of the Forum of incident Response and Security Teams (FIRST).
Metric used to generate score o the vulnerability is based on three factors.
1. Base Metric Group
2. Temporal Metrics
3. Environmental metrics
- Base Metric Group
Base Metric represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments.
- Temporal Metrics
Temporal Metrics represents the characteristics of a vulnerability that change over time but not among user environments.
- Environmental Metrics
Temporal Metrics represents the characteristics of a vulnerability that are relevant and unique to a particular user’s environment.
Who performs the scoring?
Generally, the base and temporal metrics are specified by vulnerability bulletin analysts, security product vendors, or application vendors because they typically have better information about the characteristics of a vulnerability than do users. The environmental metrics, however, are specified by users because they are best able to assess the potential impact of a vulnerability within their own environments.Share This: