CVSS Scoring

CVSS stands for The Common Vulnerability Scoring System and is an industry open standard designed to convey vulnerability severity and risk. CVSS was commissioned by the National Infrastructure Advisory Council (NIAC) tasked in support of the global Vulnerability Disclosure Framework. It is currently maintained by FIRST (Forum of Incident Response and Security Teams).

Where can I learn more about CVSS standards?

The service supports CVSS Version 2 and CVSS Version 3.

For general CVSS standards information, visit the FIRST CVSS Home page at:

http://www.first.org/cvss/

For specific information on the CVSS standards read here:

http://www.first.org/cvss/user-guide.html

How do I enable CVSS Scoring?

Managers enable the CVSS Scoring feature for the subscription on the CVSS Setup page (Reports > Setup > CVSS). Note that CVSS Scoring is not enabled by default in a new subscription.

Once enabled, where can I see CVSS scores?

You'll see CVSS and CVSS v3 scores for vulnerabilities and potential vulnerabilities throughout the UI and in your reports. We do not display CVSS scores for information gathered. CVSS Base and Temporal scores are displayed in scan reports that include vulnerability details. CVSS scores are included in template based scan reports with host based findings.

Tell me about CVSS scoring metrics

These values are needed to calculate the CVSS score for a vulnerability: Base Score, Temporal Score and Environmental metrics. The Base and Temporal scores are provided by our security service. Environmental metrics are user-defined and assigned to asset groups.

Diagram showing CVSS metrics for calculating Final CVSS score

 

Tell me about service-provided values

Tell me about user-provided environmental metrics