FIRST Announces CVSS 4.0 – New Vulnerability Scoring System

November 2, 2023

The Forum of Incident Response and Security Teams (FIRST) has officially announced CVSS v4.0, the next generation of the Common Vulnerability Scoring System standard, more than eight years after the release of CVSS v3.0 in June 2015.

“This latest version of CVSS 4.0 seeks to provide the highest fidelity of vulnerability assessment for both industry and the public,” FIRST said in a statement.

CVSS essentially provides a way to capture the principal technical characteristics of a security vulnerability and produce a numerical score denoting its severity. The score can be translated into various levels, such as low, medium, high, and critical, to help organizations prioritize their vulnerability management processes.

One of the core updates to CVSS v3.1, released in July 2019, was to emphasize and clarify that “CVSS is designed to measure the severity of a vulnerability and should not be used alone to assess risk.”

CVSS v3.1 has also attracted criticism for a general lack of granularity in the scoring scale and for failing to adequately represent health, human safety, and industrial control systems.

The latest revision to the standard aims to address some of these shortcomings by providing several supplemental metrics for vulnerability assessment, such as Safety (S), Automatable (A), Recovery (R), Value Density (V), Vulnerability Response Effort (RE), and Provider Urgency (U).

It also debuts a new nomenclature to enumerate CVSS scores using a combination of Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE) severity ratings.

The idea, FIRST said, is to “reinforce the concept that CVSS is not just the Base score,” adding “this nomenclature should be used wherever a numerical CVSS value is displayed or communicated.”

“The CVSS Base Score should be supplemented with an analysis of the environment (Environmental Metrics), and with attributes that may change over time (Threat Metrics),” it further noted.

Tags
November 2, 2023

Related Articles

Why Ransomware in Education on the Rise and What That Means for 2023

October 24, 2022

Researchers Shed Light on CatB Ransomware’s Evasion Techniques

March 20, 2023

Researchers Uncover How Colibri Malware Stays Persistent on Hacked Systems

April 7, 2022

Shocking Findings from the 2023 Third-Party App Access Report

February 27, 2023
© Copyright 2024, All Rights Reserved  |  PlanetJon
Back to top button