Glossary · Security testing

What is CVSS?

Also known as: Common Vulnerability Scoring System, CVSS score

CVSS, the Common Vulnerability Scoring System, is an open framework for rating the severity of software vulnerabilities on a numerical scale from 0.0 to 10.0. Maintained by FIRST, it translates a vulnerability's technical characteristics into a score and a severity rating such as Low, Medium, High, or Critical.

Key takeaways

  • CVSS expresses vulnerability severity as a number from 0.0 to 10.0.
  • Scores map to qualitative ratings: None, Low, Medium, High, and Critical.
  • It is maintained by FIRST as an open, vendor-neutral standard.
  • CVSS measures inherent severity, not your specific real-world exposure.

How does the CVSS scale work?

CVSS converts the characteristics of a vulnerability into a single number between 0.0 and 10.0, where higher means more severe. That number maps to a qualitative band that most people read at a glance.

  • 0.0 corresponds to a None rating.
  • Low covers the lower end of the scale.
  • Medium sits in the middle range.
  • High covers the upper range.
  • Critical represents the most severe scores, at the top of the scale.

The underlying score is calculated from metrics describing how the vulnerability can be exploited and what impact it has, such as how the attacker reaches it, how complex exploitation is, and the effect on confidentiality, integrity, and availability.

Who maintains CVSS and why is it useful?

CVSS is maintained by FIRST, the Forum of Incident Response and Security Teams, as an open standard anyone can use. Because it is vendor neutral and transparent, a score produced by one tool or advisory means the same thing as a score from another, giving the industry a shared severity language that pairs naturally with CVE identifiers.

This consistency is what makes CVSS valuable for triage. When a scanner returns hundreds of findings, severity scores provide a defensible first cut at what to investigate, and they slot cleanly into reporting and compliance evidence.

What CVSS does not tell you

The most common mistake teams make is treating a CVSS score as a complete measure of risk. It is not. CVSS reflects a vulnerability's inherent severity in the abstract, independent of where it lives in your environment. A 9.8 on a system that is fully isolated and unreachable may matter less than a 6.5 on an internet-facing application holding customer data.

Real risk depends on context: exposure, asset value, compensating controls, and whether the flaw is actually exploitable from where attackers can reach. That is why severity should be combined with attack-path analysis from attack surface management and validated through breach and attack simulation to confirm what is genuinely reachable.

Frequently asked questions

What is the difference between CVE and CVSS?
A CVE is a unique identifier that names a specific vulnerability. A CVSS score is a separate rating, from 0.0 to 10.0, that describes how severe that vulnerability is. One names the flaw; the other scores it.
Does a high CVSS score mean I am at high risk?
Not necessarily. CVSS measures inherent severity, not your exposure. A high score on an unreachable or well-isolated system can pose less actual risk than a lower score on an exposed, business-critical asset.
Should I patch strictly in CVSS order?
CVSS is a useful starting point but not the only factor. Effective prioritization also weighs exploitability, internet exposure, asset criticality, and threat intelligence about active exploitation.

Authoritative sources

← Back to the glossary