CVSS stands for The Common Vulnerability Scoring System and is an industry open standard designed to convey vulnerability severity and risk. CVSS was commissioned by the National Infrastructure Advisory Council (NIAC) tasked in support of the global Vulnerability Disclosure Framework. It is currently maintained by FIRST (Forum of Incident Response and Security Teams).
The service supports CVSS Version 2 and CVSS Version 3.
For general CVSS standards information, visit the FIRST CVSS Home page at:
For specific information on the CVSS standards read here:
Managers enable the CVSS Scoring feature for the subscription on the CVSS Setup page (Reports > Setup > CVSS). Note that CVSS Scoring is not enabled by default in a new subscription.
You'll see CVSS and CVSS v3 scores for vulnerabilities and potential vulnerabilities throughout the UI and in your reports. We do not display CVSS scores for information gathered. CVSS Base and Temporal scores are displayed in scan reports that include vulnerability details. CVSS scores are included in template based scan reports with host based findings.
These values are needed to calculate the CVSS score for a vulnerability: Base Score, Temporal Score and Environmental metrics. The Base and Temporal scores are provided by our security service. Environmental metrics are user-defined and assigned to asset groups.
Tell me about service-provided values
The CVSS Base Score measures the fundamental, unchanging qualities of a vulnerability. The Base score is modified by the CVSS Temporal Score and Environmental metrics when the final CVSS score is calculated.
The CVSS Temporal Score measures time dependent qualities of a vulnerability, which may change over time. The Temporal score allows for mitigating factors to reduce the overall CVSS score for a vulnerability.
The CVSS Access Vector is part of the CVSS Base metric group and reflects the level of access required to exploit a vulnerability. CVSS Access Vector values are Local Access, Adjacent Network and Network. See CVSS Access Vector for a description of each value. Note that CVSS Access Vector only appears on the Vulnerability Information page. To see this page, click for any vulnerability in the KnowledgeBase.
Tell me about user-provided environmental metrics
CVSS Environmental Metrics capture the characteristics of a vulnerability that are associated with the user's IT environment. Users set these values in asset groups - the values set for a group apply to all hosts in the group.
Collateral Damage Potential represents the possibility for loss in physical equipment and property damage.
Target Distribution represents the relative size of the field of the target systems susceptible to the vulnerability.
The following Security Requirements metrics enable users to customize the final CVSS score, depending on the importance of the affected host to the user's organization.
Confidentiality Requirement represents the impact that loss of confidentiality has on the organization or individuals associated with the organization (for example employees, customers).
Integrity Requirement represents the impact that loss of integrity has on the organization or individuals associated with the organization (for example employees, customers).
Availability Requirement represents the impact that loss of availability has on the organization or individuals associated with the organization (for example employees, customers).