What is CVSS?
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. It provides a standardized method for rating IT vulnerabilities and calculating scores.
CVSS Score Ranges
- 0.0 - None
- 0.1 - 3.9 - Low
- 4.0 - 6.9 - Medium
- 7.0 - 8.9 - High
- 9.0 - 10.0 - Critical
CVSS Components
CVSS v3.1 scores are calculated from three metric groups:
- Base Metrics - Intrinsic qualities of a vulnerability (attack vector, complexity, privileges required)
- Temporal Metrics - Characteristics that change over time (exploit availability, remediation level)
- Environmental Metrics - Characteristics unique to a user's environment (security requirements, modified impact)
Limitations of CVSS
While CVSS is valuable, it has limitations:
- Doesn't account for business context
- Doesn't consider asset criticality
- May not reflect real-world exploitability
Beyond CVSS with Scapien
Scapien enhances vulnerability prioritization by combining CVSS scores with business context, asset criticality, and real-world exploitability assessment to help you focus on what matters most.