Questions about CVSS Scoring System

*** Hopeleonie ***
*** Hopeleonie *** used Ask the Experts™
I would like to know your opinion on the following questions:
1)    What are the contras of the CVSS Scoring System, compared to many other systems?
2)    Where did you hit limits while working with CVSS Scoring System?
3)    What must be considered in which scenarios?

Thanks a lot for your feedback.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018
There's new system for scoring... seems like every day...

Scoring provides minimal usefulness.

Take a read through and other recent EE questions, you can find by searching for the keyword security.

Best to setup rock solid security first, then as time permits play around with scoring systems...


Your security policies you setup will determine whether you're hacked or not.

Scoring systems only give clues about potential problems.

Best to just have no problems at all, due to enforcement of stringent security policies.
Exec Consultant
Distinguished Expert 2018
1)    What are the contras of the CVSS Scoring System, compared to many other systems?

CVSS is measuring the severity of a weakness and that help in certain set priority to put in place the remediation or mitigation required. Most common refers to patches releases to address certain vulnerabilities identified.

With this as backdrop, when you say compared to other, there isn't any scoring focusing on such measurement. Or minimally CVSS has set in as the most commonly used language when comparing or dealing with various weakness.

There are those like CAPEC and CWE when used together, both provide understanding and guidance to targeted audience like software development personnel of all levels as to where and how their software is likely to be attacked, thereby equipping them with the information they need to help them build more secure software.

CVSS is used by most beyond developer like governance, operational and security consultant, engineer and analyst to develop a  action plan.

2)    Where did you hit limits while working with CVSS Scoring System?

This scoring system is the de facto security industry standard for calculating and exchanging information about the severity of vulnerabilities. The problem is that CVSS is used for far more than it was intended.

In fact, many organizations measure their ongoing risk posture by counting the number of unfixed vulnerabilities and their associated CVSS scores. CVSS is useful, but must not be confused with deeper risk assessment.

Calculating CVSS helps practitioners identify those items that warrant deeper analysis. Unfortunately, due to the way that a CVSS base score is averaged across the exploitability and the impact dimensions, CVSS in some instances fails to sufficiently assess risk, especially in cases where utility to an attacker appears to be relatively insignificant.

3)    What must be considered in which scenarios?

CVSS as a critical tool for triaging vulnerabilities and for gauging response times. Still, CVSS is no substitute for a deeper risk analysis when it is warranted.

You really shouldn't use just numeric scores from CVSS to compare vulnerabilities without context. You should always examine the individual metrics to better understand the possible impact.

CVSS is likely to be much less relevant for IoT or cyber-physical systems. As a metric, Safety is harder to predict and more variable than other impact metrics. It's hard to compare to the other metrics because it's difficult to rate the importance of even a single human life against, say, the confidentiality of a corporation's emails.

My point is not that CVSS is not useful, but that it was not intended to measure safety.

There are, however, other instruments already used in the safety engineering field, and even in IT security, that may be useful alternatives.

In general, the FIPS 199 "potential impact" levels may be useful. They include the possibility of human harm or loss of life when rating the impact of loss of an information system. They are very broad and organization-specific, however, and intend to judge entire information systems rather than specific vulnerabilities.

Another example, let say for automobiles, there is the ASIL standard (ISO-26262), which attempts to measure the risks of faults in cars.

In short, it is not all in one metric for measuring all vulnerability. Doing risk assessment diligently is still a need.
Risk scores depend on the integrated concept of risk. Vulnerabilities are a big part of that concept. Vulnerabilities are rated using the CVSS. The CVSS is a risk management approach where vulnerability data is quantified and then the degrees of risk to different types of systems or information are taken into account.

The system consists of the three cores metric groups (and their associated sub-metrics): base metrics that characterize fundamental components of a vulnerability, temporal metrics that qualify components of a vulnerability that change over time and environmental metrics that qualify components of a vulnerability that depend on specific contexts and implementations.

The strength of the CVSS is that it produces consistent results for the vulnerability's threat in the base and temporal metric groups, while allowing organizations to match those results with their specific computing environment. You can do this by using the CVSS calculator and plugging in your own metric values.

The National Vulnerability Database (NVD) uses the Common Vulnerability Scoring System (CVSS) standard to assess vulnerabilities.
*** Hopeleonie ***IT Manager


Thanks a lot Experts :-)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial