New CVSS 4.0 vulnerability severity rating standard released
The Forum of Incident Response and Security Teams (FIRST) has officially released CVSS v4.0, the next generation of its Common Vulnerability Scoring System standard, eight years after CVSS v3.0, the previous major version.
CVSS is a standardized framework for assessing software security vulnerabilities’ severity used to assign numerical scores or qualitative representation (such as low, medium, high, and critical) based on exploitability, impact on confidentiality, integrity, availability, and required privileges, with higher scores denoting more severe vulnerabilities.
It helps prioritize responses to security threats as it provides a consistent way to evaluate vulnerabilities’ impact and compare risks across different systems and software.
“The revised standard offers finer granularity in base metrics for consumers, removes downstream scoring ambiguity, simplifies threat metrics, and enhances the effectiveness of assessing environment-specific security requirements as well as compensating controls,” FIRST said.
“In addition, several supplemental metrics for vulnerability assessment have been added including Automatable (wormable), Recovery (resilience), Value Density, Vulnerability Response Effort and Provider Urgency.
“A key enhancement to CVSS v4.0 is also the additional applicability to OT/ICS/IoT, with Safety metrics and values added to both the Supplemental and Environmental metric groups.”
This latest version also adds a new nomenclature, with Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE) severity ratings.
The complete list of all changes shipping with the CVSS v4.0 standard, including finer granularity through new Base metrics/values and better impact metrics, is available here.
FIRST unveiled CVSS 4.0 in June, during its 35th annual conference in Montréal, Canada, as a “cyber sector game-changer,” 18 years after the release of CVSS version 1 in February 2005.
“The CVSS system has rapidly developed over the past 18 years, with each version building on our capabilities to defend from cyber criminality. I am immensely proud of the CVSS-SIG for the hard work and dedication it has taken to produce version 4.0. And it is timely as we continue to see a significant rise in threats across the world,” said Chris Gibson, FIRST’s CEO.
“As a membership organization, our goal is to empower our members and the sector, demonstrating leadership and ensuring we are dedicated to continuously improving how we work together to defend people across the globe against cyber-attacks.”
Last year, FIRST also published TLP 2.0, the latest version of its Traffic Light Protocol (TLP) standard used in the computer security incident response team (CSIRT) community when sharing sensitive information.