FIRST Announces CVSS 4.0 – New Vulnerability Scoring System
The Forum of Incident Response and Security Teams (FIRST) has officially announced CVSS v4.0, the next generation of the Common Vulnerability Scoring System standard, more than eight years after the release of CVSS v3.0 in June 2015.
“This latest version of CVSS 4.0 seeks to provide the highest fidelity of vulnerability assessment for both industry and the public,” FIRST said in a statement.
CVSS essentially provides a way to capture the principal technical characteristics of a security vulnerability and produce a numerical score denoting its severity. The score can be translated into various levels, such as low, medium, high, and critical, to help organizations prioritize their vulnerability management processes.
One of the core updates to CVSS v3.1, released in July 2019, was to emphasize and clarify that “CVSS is designed to measure the severity of a vulnerability and should not be used alone to assess risk.”
CVSS v3.1 has also attracted criticism for a general lack of granularity in the scoring scale and for failing to adequately represent health, human safety, and industrial control systems.
The latest revision to the standard aims to address some of these shortcomings by providing several supplemental metrics for vulnerability assessment, such as Safety (S), Automatable (A), Recovery (R), Value Density (V), Vulnerability Response Effort (RE), and Provider Urgency (U).
It also debuts a new nomenclature to enumerate CVSS scores using a combination of Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE) severity ratings.
The idea, FIRST said, is to “reinforce the concept that CVSS is not just the Base score,” adding “this nomenclature should be used wherever a numerical CVSS value is displayed or communicated.”
“The CVSS Base Score should be supplemented with an analysis of the environment (Environmental Metrics), and with attributes that may change over time (Threat Metrics),” it further noted.