CVSS v3.1 has scale: 0 (none), 1-3 (low), 4-6 (medium), 7-8 (high), 9-10 (critical). But this is technical. Business context determines urgency: a CVSS 5 on a server handling money can be more critical than CVSS 8 on a development machine.
What is CVSS
CVSS (Common Vulnerability Scoring System) is a standard that quantifies the technical severity of a vulnerability on a scale of 0 to 10. 0 = no severity, 10 = critical severity (complete system compromise without intervention). Each CVE (Common Vulnerability) receives a CVSS score. The current version is CVSSv3.1. CVSS considers multiple factors: (1) Attack complexity (how much effort?), (2) Access required (authentication?), (3) Impact on confidentiality/integrity/availability, (4) User interaction requirements, (5) Scope (does it affect only the target or others?). Example: CVE-2021-44228 (Log4Shell) has CVSS 10 because it is remotely exploitable without authentication and causes complete compromise.
Why it matters
For a CISO, CVSS is the patch prioritisation tool. Without CVSS, all vulnerabilities would seem equal. With CVSS, you can differentiate: 'a vulnerability requiring physical access to a server and causing temporary denial of service is CVSS 4; a remote vulnerability without authentication allowing code execution is CVSS 9.8'. Your ops team can patch CVSS 9+ first, then 7-8, then 5-6. Without a standardised scale, each vendor would use different names (critical vs. high vs. severe) causing confusion. CVSS is internationally accepted: government agencies, security teams, vendors all use CVSS. It enables consistent comparison. Important limitation: CVSS measures technical severity, not business risk. A CVSS 3 in a critical component can be more risk than CVSS 7 in a minor utility.
Key points
CVSS measures technical severity, not risk. Risk = probability of exploitation * impact. A theoretical CVSS 10 without published exploitation tools affecting 10 machines worldwide is different from CVSS 8 actively exploited in botnets attacking thousands.
CVSS has base score (technical) and temporal score (includes whether patches exist, whether it is being exploited, whether information is public). A base CVSS 9.8 might drop to 7.5 if a patch already exists, because the exposure window is smaller.
Do not confuse CVSS with operational urgency. If your infrastructure is not affected by a CVSS 10 vulnerability, urgency is zero. If you have a system vulnerable to CVSS 3, urgency depends on context (is it in DMZ? is it critical?).
Example: patch prioritisation with CVSS
A CISO receives a list of 100 vulnerabilities from an automated scanner. Manually reviewing would be infeasible. Filter by CVSS: (1) CVSS 9+: 5 vulnerabilities, all on exposed web servers. Patch deadline: 6 hours. (2) CVSS 7-8: 20 vulnerabilities. Deadline: 24-48 hours. (3) CVSS 4-6: 50 vulnerabilities. Deadline: 1-2 weeks. (4) CVSS <4: 25 vulnerabilities. Deadline: 30 days or next maintenance window. But then add context: (1) A CVSS 7 affects a corporate endpoint without internet access. Urgency is low. (2) A CVSS 5 affects an authentication server on the internet. Urgency is high. Reorder: CVSS is an initial filter, but business context adjusts final priority.
Common mistakes
- Prioritising based on CVSS alone without business context. A CVSS 10 in a disused component on an internal server is not as critical as a CVSS 6 on an edge firewall on the internet. Use CVSS as a first filter, but decide urgency considering exposure.
- Assuming CVSS score is invariable. The version (v2 vs. v3.1) can affect the score. Temporal score can vary if a patch exists or if it is being exploited. Always check the details, not just the number.
- Negligence with low CVSS vulnerabilities actively exploited. A CVSS 4 being actively exploited in massive attacks is more urgent than CVSS 7 theoretical without documented exploitation. Combine CVSS + threat intelligence.
- Not updating scores when new information emerges. A vulnerability starting at CVSS 5 can increase to 8 if new exploitation methods are discovered. Monitor score changes as new information comes out.
Related terms
Related services
This concept may be related to services such as:
Frequently asked questions
How is the CVSS score calculated?
CVSS v3.1 uses a formula considering: (1) Attack Vector (local, adjacent, network), (2) Attack Complexity (low, high), (3) Privileges Required (none, low, high), (4) User Interaction (required, none), (5) Scope (unchanged, changed), (6) Confidentiality/Integrity/Availability impact (none, low, high). The formula produces a score of 0-10.
What is the difference between CVSS Base Score, Temporal Score and Environmental Score?
Base Score is the invariable technical score. Temporal Score adds factors that change over time (whether a patch exists, whether it is being exploited, availability of POC). Environmental Score adjusts it for your specific context. Base is useful for global comparison; temporal and environmental for your reality.
Is a vulnerability with CVSS 10 always more critical than one with CVSS 5?
Technically yes. CVSS measures technical severity. But in business context, it depends. A CVSS 10 in a component you do not use is not critical. A CVSS 5 on an edge firewall on the internet is very critical. Use CVSS as a filter, but decide urgency by exposure.
How often are CVSS scores updated?
Base Score does not change. Temporal Score can change if CVSS officials publish new information (discovery of exploit, patch availability). Typically scores stabilise days after CVE publication. Monitor changes in the first 7-14 days.