Definition : CVSS (Common Vulnerability Scoring System)

CVSS, or Common Vulnerability Scoring System, is an open and standardized framework for assessing the severity of computer security vulnerabilities.

CVSS assigns a numerical score (ranging from 0 to 10) to each vulnerability, reflecting its severity, which helps organizations prioritize the response and treatment of vulnerabilities based on their potential impact on security.

The CVSS score is based on several metrics that are grouped into three main categories:

1. Base Metrics: Evaluate the intrinsic characteristics of the vulnerability that are constant over time and user environments. These metrics include the access required to exploit the vulnerability, attack complexity, required privileges, user interaction, impact scope, and the impact itself (on confidentiality, integrity, and availability).

2. Temporal Metrics: Take into account factors that change over time but do not depend on the specific user environment. They include exploit availability, patch level, and confidence in vulnerability report origins.

3. Environmental Metrics: Adjust to reflect the vulnerability's importance in each organization's specific environment. This may include the criticality of affected assets, the presence of mitigation measures, and how the vulnerability specifically affects the organization.

The final score provides security teams with a standardized assessment of vulnerability severity, facilitating decision-making regarding security measures to mitigate risks. CVSS is maintained by the Forum of Incident Response and Security Teams (FIRST).