A new version of the Common Vulnerability Scoring System (CVSS 4.0) has been unveiled publicly by the Forum of Incident Response and Security Teams (FIRST) on July 13, 2023.
CVSS is the open industry standard for assessing the severity of computer system security vulnerabilities, helping organizations prioritize their vulnerability management processes. It provides a method of capturing the principal characteristics of a vulnerability and producing a numerical score to demonstrate its severity.
Read more: #HowTo: Create an Effective Patch Management Program
The numerical score is also represented as a qualitative severity rating: low, medium, high and critical.
Version 4.0 is currently undergoing a public preview comment period, which will end on July 31, 2023. All feedback will then be reviewed and addressed by August 31, 2023, with FIRST aiming for an official publication date of October 1, 2023.
The new version aims to address criticisms levelled at the current CVSS version 3.1, which was published in June 2019. These include:
- Insufficient granularity in base metrics
- The standard is only applicable to IT systems and not systems such as OT, ICS and IoT
- Scores published by vendors are often high or critical (+7.0)
- Temporal metrics do not effectively impact the final CVSS score
- Overly complicated threat metrics
CVSS 4.0 aims to address these issues by introducing the following changes:
- Reinforcing the concept that CVSS is not just the base score
- Finer granularity through the addition of new base metrics and values
- Enhanced disclosure of impact metrics
- Temporal metric group renamed to threat metric group
- New Supplemental Metric Group to convey additional extrinsic attributes of a vulnerability that do not affect the final CVSS-BTE score
- Additional focus on OT/ICS/safety systems
Commenting on the new version, FIRST’s CEO Chris Gibson said: “The CVSS system has rapidly developed over the past 18 years, with each version building on our capabilities to defend from cyber criminality.
“I am immensely proud of the CVSS Special Interest Group (SIG) for the hard work and dedication it has taken to produce version 4.0. And it is timely as we continue to see a significant rise in threats across the world.
“As a membership organization, our goal is to empower our members and the sector, demonstrating leadership and ensuring we are dedicated to continuously improving how we work together to defend people across the globe against cyber-attacks.”
Background and Development of CVSS
The first version of the standard (CVSS v1) was introduced in February 2005 by a small group of pioneers, who recognized the need to standardize vulnerability measurements across software and platforms. The non-profit FIRST was appointed in April 2005 to become the custodian of CVSS for future development.
Prior to 2005, vendors were forced to use custom, incompatible rating systems to define severity of vulnerabilities.
CVSS v1 was tested extensively by over a dozen FIRST members of the CVSS-SIG during 2006 and 2007, leading to the development of v2 in June 2007. This reduced inconsistencies and provided additional granularity alongside other improvements to the original standard.
Version 3.0 was published in June 2015, which introduced the concept of ‘scope’ to handle the scoring of vulnerabilities that exist in one software component, but impact a separate software, hardware or networking component.
Finally, 3.1 was released in June 2019 to provide better clarity of concepts to improve the overall ease of use of the standard. However, it did not introduce any new metrics or values.