FIRST, the Forum of Incident Response and Security Teams, will release this week version 4.0 of the Common Vulnerability Scoring System (CVSS). CVSS is an open framework that allows organizations and researchers to communicate specific characteristics and severities of software vulnerabilities.

CVSS consists of four metric groups, Base, Threat, Environmental, and Supplemental, which FIRST says, “represents the intrinsic qualities of a vulnerability that are constant over time and across user environments, the Threat group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment.” Using CVSS, users can determine the severity of specific vulnerabilities by leveraging a score ranging from 0 to 10. It is important to note that CVSS is used to determine severity and does not risk an organization. So, users of CVSS, will need to determine how a vulnerability impacts software in their own environment, to determine the overall risk. 

To see the full list of changes, please refer to FIRST’s CVSS v4.0 User Guide. 

For more information about CVSS v4.0, please refer to the FAQ.