The Forum of Incident Response and Security Teams (FIRST) has published an update of its internationally recognized Common Vulnerability Scoring System (CVSS). CVSS is a common scoring system designed to provide open and universally standard severity ratings of software vulnerabilities for the security community. Used by organizations worldwide, version 3.1 documentation is now available on the FIRST website for members and non-members to reference.
The goal of CVSS version 3.1 is to simplify and improve upon the existing CVSS version 3.0 standard allowing for easier adoption by the security community. Updates include clarification of the definitions and explanation of existing base metrics such as Attack Vector, Privileges Required, Scope, and Security Requirements. A new standard method of extending CVSS, called the CVSS Extensions Framework, allows a scoring provider to include additional metrics and metric groups while retaining the official Base, Temporal, and Environmental Metrics. The additional metrics allow industry sectors such as privacy, safety, automotive, healthcare, etc., to score factors that are outside the core CVSS standard. Finally, the CVSS Glossary of Terms is expanded and refined to cover all terms used throughout the CVSS version 3.1 documentation.
“FIRST is grateful for input from industry subject-matter experts in an effort to enhance and refine CVSS to be more applicable to the vulnerabilities, products, and platforms being developed over the past 15 years and beyond. The primary goal of CVSS is to provide a deterministic and repeatable way to score the severity of vulnerabilities across many different constituencies,” stated CVSS SIG co-Chair of FIRST.