FAQ

The CVSS (Common Vulnerability Scoring System) measures the severity of a vulnerability by assigning it a score from 0 to 10, where 10 represents an extremely critical flaw. It is designed to provide a standardized and objective evaluation of vulnerabilities so that organizations can compare and prioritize them accordingly.

This score takes into account several aspects: ease of exploitation, potential effects on confidentiality, integrity and availability, as well as the conditions required to carry out the attack. In summary, CVSS helps quantify the inherent danger level of a security flaw.

The CVSS scale ranges from 0.0 to 10.0, and each range is associated with a severity level:

• 0.0: None
• 0.1 to 3.9: Low
• 4.0 to 6.9: Medium
• 7.0 to 8.9: High
• 9.0 to 10.0: Critical

This classification allows organizations to filter vulnerabilities by severity, but it does not consider the specific context of each company. That’s why other criteria, such as active exploitation or the affected assets, should be included in the evaluation.

The CVSS score measures the intrinsic severity of a vulnerability, but not its actual exploitation or relevance in a specific environment. For example, a vulnerability may have a high score but be hard to exploit in your infrastructure, or conversely, a medium-score flaw might target a critical, unsegmented system.

To assess risk more accurately, it's important to include complementary indicators such as:

• The EPSS score (probability of actual exploitation)
• Inclusion in the KEV list (confirmed exploitation)
• The business or technical context of the affected environment

Thus, CVSS should be viewed as an indicator of severity, not a complete risk assessment.

CVSS is divided into three sub-scores:

• Base score: evaluates the intrinsic severity of the vulnerability, regardless of context. It is usually public.
• Temporal score: adjusts the rating based on factors such as exploit availability or the existence of a patch. It reflects the maturity of the threat.
• Environmental score: allows organizations to adapt the evaluation to their own context (asset importance, exposure, business impact). It is customized for each company.

By combining these three layers, the CVSS model becomes a more flexible tool for refining remediation priorities based on real-world conditions.

Yes, a CVSS score can evolve over time, especially when new information emerges. For example, a public exploit, a patch bypass, or confirmed active exploitation may lead analysts to revise the temporal score or even the base vector if an error was identified in the initial assessment.

Moreover, automated tools like those from the NVD regularly update CVSS scores based on field data and publications. It is therefore recommended that companies periodically revalidate their analyses, especially for critical vulnerabilities.

Yes, there is an official CVSS score calculator provided by the FIRST standards forum, which maintains the CVSS standard. It is available online at: https://www.first.org/cvss/calculator.

This calculator allows users to build a vector by selecting the relevant metrics, then automatically calculates the scores (base, temporal, environmental).