How Does CVSS Work?
Vulnerabilities are flaws in an organization's internal controls, information systems, or processes that cybercriminals can exploit to steal corporate data and cause harm.
Enterprises reported 18,103 vulnerabilities in 2020, 10,342 of which were high severity, according to an analysis of the U.S. National Institute of Standards and Technology's (NIST) National Vulnerability Database.
To keep systems safe, organizations must identify, prioritize, and remediate these vulnerabilities as soon as possible—not an easy task, given the significant number of flaws organizations could have to manage.
CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It produces a numerical score to rank vulnerabilities based on their severity. Organizations can prioritize their vulnerabilities based on whether the CVSS score risk is low, medium, or high.
CVSS is an open-source framework that provides software developers, testers, security, and IT professionals with a standardized process to assess vulnerabilities. Organizations can use the CVSS to determine a vulnerability's threat level and then prioritize remediation accordingly.
The non-profit Forum of Incident Response and Security Teams (FIRST) owns and manages CVSS. Many organizations have adopted CVSS, including the United States Department of Homeland Security, the United States Computer Emergency Response Team, Amazon, Cisco, HP, Huawei, IBM, McAfee, Oracle, Qualys, and SAP.
What Are the Major Versions of CVSS?
The National Infrastructure Assurance Council (NIAC) introduced CVSS in February 2005. In 2007, NAIC selected FIRST to maintain the vulnerability scoring system. FIRST released CVSS v2 in 2007 to reduce earlier version inconsistencies and better reflect the wide range of vulnerabilities.
FIRST released CVSS v3 in June 2015, introducing scoring changes to reflect how to discover real-world vulnerabilities more accurately. FIRST released version CVSS v3.1 in 2019, clarifying that CVSS v3.1 measures a vulnerability's severity, not its risk.
Organizations that only use the CVSS score before patching flaws aren't managing risks adequately. That score doesn't reflect whether a cybercriminal can exploit the real-world vulnerability or pose any risk to the organization's security environment.
To be effective, security teams must assess concrete business vulnerabilities and risks to both IT and operational systems, then use that data to prioritize mitigation efforts. Taking a risk-based approach to vulnerability management lets teams focus on the most critical flaws and assets rather than spend time on vulnerabilities that cybercriminals are unlikely to exploit.
How Organizations Calculate CVSS Score
Organizations calculate CVSS scores based on metrics categorized into three groups from which different scores are derived.
These metric groups include:
BASE METRIC GROUP:
The Base Metric Group represents a vulnerability's inherent characteristics, i.e., those that don't change over time or across different user environments. Organizations use the corresponding CVSS Base Score as a key metric of vulnerabilities' severity. It allows them to gauge the vulnerabilities' impacts on their systems and prioritize which to patch first.
The Base Metric Group contains several metrics that together create a CVSS Base Score. These metrics are:
- Exploitability Metrics: Exploitability indicates how easily a malicious actor can exploit a vulnerability and defines four specific exploitation metrics:
- The attack vector defines the level of physical or network access a cybercriminal needs for exploitation
- The attack complexity refers to the conditions that allow a cybercriminal to exploit a vulnerability.
- The privilege required is the system privilege level needed to exploit a vulnerability.
- The user interaction indicates if a user needs to do anything, e.g., install an application that enables the cybercriminal to exploit a vulnerability.
- Impact Metrics: Impact focuses on what a cybercriminal can achieve by exploiting a vulnerability and breaks down into three metrics:
- Confidentiality refers to the accessible volume of data a cybercriminal has after infiltrating a system. Vulnerabilities that expose system-wide data stores rank higher than those that expose local and siloed resources.
- Integrity focuses on whether the protected data was tampered with or altered.
- Availability centers on the ability to deny service to users and their data.
- Scope Metrics: Scope is whether a vulnerability in one system or component affects another system or component.
The base metrics produce a score between zero (the lowest amount of risk) and ten (the highest amount of risk). Organizations can modify the base metrics by scoring the temporal and environmental metrics.
TEMPORAL METRIC GROUP
Temporal metrics change over time, measuring a vulnerability's current state and the availability of patches. The three metrics in this group are: exploit code maturity, remediation level, and report confidence.
- Exploit code maturity measures how difficult it is for a cybercriminal to exploit a vulnerability.
- Remediation level gauges whether there's a patch or workaround to mitigate the vulnerability.
- Report confidence measures how confident sources are that a vulnerability exists and that it is exploitable.
ENVIRONMENTAL METRIC GROUP
Environmental metrics allow organizations to modify the base CVSS metrics based on specific business factors that might increase or decrease a vulnerability's severity. Environmental metrics consist of modified base CVSS metrics and security requirements:
- Modified base metrics: Organizations may modify the values of the base metrics by implementing compensating controls or mitigation measures to reduce the chances a cybercriminal will exploit a vulnerability.
- Security requirements describe and score an asset based on its importance to the organization measured in confidentiality, integrity, and availability.
- Confidentiality is the ability to hide data from unauthorized users.
- Integrity is the ability to secure data from being changed from the original.
- Availability is how accessible the data is to authorized users as needed. The more critical the asset, the higher the score.
Does CVSS Relate to CVE?
CVSS and CVE are complementary standards but not directly related. The Common Vulnerabilities and Exposures (CVE) program catalogs publicly disclosed security vulnerabilities and exposures with unique identifiers. The CVE provides common identifiers for publicly known flaws, not severity scoring or prioritization ratings for vulnerabilities. However, the National Vulnerability Database, a US government database of standards-based vulnerability data, gives each CVE a CVSS score indicating its security severity.
How Can HackerOne Help?
Work with HackerOne and our hacker community, the world’s largest and most diverse, to help your organization find and remediate vulnerabilities faster. HackerOne uses CVSS, the industry-standard scoring system, to determine the severity of vulnerabilities. Our HackerOne Platform delivers comprehensive continuous security testing that reduces cyber risk and decreases attack surfaces to stop exploits before they happen. Contact us to learn more.