Inferensys

Glossary

Common Vulnerability Scoring System (CVSS)

An open industry standard for assessing the principal technical severity of software vulnerabilities, producing a numerical score reflecting their characteristics and impact.
Developer building agentic RAG system, retrieval pipeline diagram on laptop, technical workspace with notes.
VULNERABILITY SEVERITY STANDARD

What is Common Vulnerability Scoring System (CVSS)?

An open industry standard for assessing the principal technical severity of software vulnerabilities, producing a numerical score reflecting their characteristics and impact.

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. It captures the principal technical aspects of a vulnerability and produces a numerical score ranging from 0 to 10, which is then translated into a qualitative severity rating—None, Low, Medium, High, or Critical—to help organizations prioritize remediation efforts.

CVSS is composed of three metric groups: Base, which captures intrinsic qualities that are constant over time; Temporal, which reflects characteristics that change over the lifecycle of the vulnerability; and Environmental, which allows an organization to customize the score based on their specific IT environment and compensating controls. The current version, CVSS v4.0, introduces supplemental metrics like Automatable and Recovery to provide finer granularity for security operations teams.

VULNERABILITY SEVERITY FRAMEWORK

Key Characteristics of CVSS

The Common Vulnerability Scoring System (CVSS) provides a standardized, repeatable methodology for quantifying the principal technical severity of software vulnerabilities. It captures the fundamental characteristics of a vulnerability and produces a numerical score reflecting its potential impact.

01

Base, Temporal, and Environmental Metric Groups

CVSS decomposes severity into three distinct metric groups to provide layered context:

  • Base Metrics: Intrinsic qualities of a vulnerability that are constant over time and across user environments. This includes Attack Vector (AV) , Attack Complexity (AC) , and Confidentiality/Integrity/Availability (CIA) Impact.
  • Temporal Metrics: Characteristics that evolve over the lifecycle of the vulnerability, such as the availability of exploit code (Exploit Code Maturity - E) or an official fix (Remediation Level - RL).
  • Environmental Metrics: Customizable modifiers that reflect the specific importance of the affected asset to an organization, allowing analysts to adjust Confidentiality Requirement (CR) and other impact metrics.
02

The CVSS Vector String

The score is derived from a compact text representation known as the CVSS Vector String. This machine-readable string encodes all selected metric values, providing a complete, transparent audit trail of how the score was calculated.

  • Example: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • This string explicitly defines the vulnerability as Network exploitable (AV:N) with Low attack complexity (AC:L) and No privileges required (PR:N) , leading to a High impact on all three CIA pillars.
  • The vector string enables automated, deterministic parsing by vulnerability scanners and ensures reproducibility across different tools.
03

Qualitative Severity Rating Scale

To make numerical scores immediately actionable, CVSS maps quantitative ranges to a qualitative severity scale for triage prioritization:

  • None: 0.0
  • Low: 0.1 - 3.9
  • Medium: 4.0 - 6.9
  • High: 7.0 - 8.9
  • Critical: 9.0 - 10.0 A vulnerability scoring a 9.8 is classified as Critical and typically demands immediate remediation within a 24-hour window, whereas a 5.5 is Medium and can be scheduled into a standard patch cycle.
04

Scope Metric and Privilege Escalation

A pivotal Base Metric, Scope (S) , captures whether a vulnerability in one software component can impact resources beyond its intended security authority.

  • Unchanged (S:U) : The vulnerable component and the impacted component are the same, meaning the attack is contained within a single security boundary.
  • Changed (S:C) : The vulnerability allows the attacker to escape the component's sandbox and affect a different component, such as breaking out of a virtual machine to access the hypervisor. When Scope is Changed, the impact sub-score is weighted more heavily, reflecting the severity of a privilege escalation or container breakout.
05

CVSS v3.1 vs. v4.0 Evolution

The framework has evolved to address scoring ambiguities and new attack vectors:

  • CVSS v3.1: The current industry standard, which introduced the Scope metric and refined the scoring formula to better represent real-world impact.
  • CVSS v4.0: The next-generation standard that supplements the Base Score with new supplemental metrics like Automatable (A) , Recovery (R) , and Value Density (V) . It also introduces a Vulnerability Response (VR) metric to signal the urgency of remediation.
  • The shift to v4.0 aims to provide finer granularity for OT/ICS environments and safety-critical systems where traditional IT impact metrics are insufficient.
06

FIRST Org and Scoring Governance

CVSS is maintained and governed by the Forum of Incident Response and Security Teams (FIRST) , ensuring vendor-neutral, community-driven evolution.

  • The CVSS Special Interest Group (SIG) manages the standard's development, publishes official documentation, and provides a reference calculator.
  • Organizations like the NIST National Vulnerability Database (NVD) act as primary aggregators, enriching CVE records with CVSS Base Scores to provide a consistent baseline for global vulnerability management programs.
  • This governance model prevents proprietary scoring inflation and ensures that a Critical rating from one vendor is mathematically equivalent to a Critical rating from another.
CVSS EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about the Common Vulnerability Scoring System, its mechanics, and its role in vulnerability management.

The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing the principal technical severity of software vulnerabilities, producing a numerical score from 0 to 10 that reflects their intrinsic characteristics and impact. It works by evaluating a vulnerability across three metric groups: Base, Temporal, and Environmental. The Base metric group captures the constant, intrinsic qualities of the vulnerability, such as attack vector, complexity, and impact on confidentiality, integrity, and availability. The Temporal group adjusts the score based on factors that change over time, like the availability of exploit code or an official patch. The Environmental group allows an organization to customize the score based on its specific IT environment, modifying Base metrics according to the criticality of the affected asset and compensating security controls. A formula combines these metrics to generate a vector string and a final score, which is then mapped to a qualitative severity rating: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), or Critical (9.0-10.0).

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.