CVSS: Common Vulnerability Scoring System

Currently, cyber threats and security vulnerabilities have become a growing source of concern. For that reason, security experts and organizations are in search of an effective solution to assess and prioritize vulnerabilities. This is where the "Common Vulnerability Scoring System" or in short, CVSS comes into play. Vulnerabilities are security flaws in systems, that allow malicious individuals to infiltrate or carry out harmful actions. CVSS is a standard designed to assess and prioritize the severity of such vulnerabilities. This system determines the potential impact of a vulnerability using metrics such as the base score, access level, and ease of access.

CVSS utilizes three main metrics in vulnerability assessment:

Base Score: Evaluates the natute of the vulnerability and its fundamental impacts. The base score includes sub metrics in two main categories:

Access Vector: Determines the ways in which an attacker can use the vulnerability. For example, remote access, local network access, or physical access.

Access Complexity: Determines the effort required for an attacker to exploit the vulnerability, indicating how easy or difficult the process might be.

Temporal Score: Assesses the effects of patches or security measures applied to the vulnerability. This includes the rate of spread ov security fixes and their impact.

Environmental Score: Evaluates the specific impacts of a vulnerability within a particular organization or system, considering unique features, technologies used, and configuration.These three metrics are combined to form an overall score for a vulnerability. Scores are then categorized as low, medium, high, and critical, providing information about the severity of the vulnerability. Each metric is weighted, typically determined according to standard documentation. The results obtained by multiplying these weights are then summed up to create an overall CVSS score.

CVSS scoring uses a rating system divided into levels such as low, medium, high, and critical. The higher the score, the more serious the vulnerability is considered. CVSS scores provide a guide for security experts and system administrators to prioritize security vulnerabilities. For instance, a vulnerability may have a high base score, but due to security measures applied by the organization, the spread rate may be low, impacting the overall score.


CVSS v3.1 Score


9,0 - 10


7,0 – 8,9


4,0 – 6,9


0,1 – 3,9

CVSS provides a framework for cybersecurity experts to assess the importance and urgency of a specific vulnerability, helping them allocate limited resources effectively, prioritize critical vulnerabilities and enhance overall security levels for organizations. CVSs has become a significant tool in identifying, assessing, and addressing security vulnerabilities in the digital world. Many vulnerability scanning tools use the CVSS method for vulnerability scoring, and this method is periodically updated.

The process is conducted by the non-profit organization The Forum in Incident Response and Security Teams (FIRST), that holds all copyright and trademark rights for CVSS. Version 3.0 of

CVSS was released in June 2015, followed by version 3.1, in June 2019.

There is still ongoing process for CVSS version 4.0.

Author: Eren ÖKSÜZ/ BeyazNet Information Systems Analyst