With new metrics, CVSS v4. 0 raises the bar in security assessment.
The Forum of Incident Response and Security Teams (FIRST) officially announced the release of version 4.0 of the Common Vulnerability Scoring System (CVSS), 8 years after the launch of the previous version of CVSS v3. 0. FIRST introduced CVSS 4.0 in June at its 35th annual conference in Montreal, Canada.
CVSS is a unified system for assessing the risk of software vulnerabilities, which allows you to assign numerical scores or qualitative representations (for example, low, medium, high, and critical) based on the possibility of exploitation, impact on confidentiality, integrity, availability, and required privileges, where higher scores mean more dangerous vulnerabilities.
CVSS helps you prioritize your response to security threats, as it provides a consistent way to assess the impact of vulnerabilities and compare risks between different systems and software.
Here is a list of key changes made to the CVSS v4.0 standard:
1. Improved granularity of basic metrics, allowing users to get a more accurate assessment of vulnerabilities.
2. Disambiguation of estimates that are made based on the subsequent use of vulnerability assessments.
3. Simplify threat metrics to make the standard easier to understand and use.
4. Improve the effectiveness of the assessment, taking into account specific environmental safety requirements and compensatory controls.
5. Introduction of additional metrics for vulnerability assessment:
6. Additional applicability of the standard to Operational technologies (OT), industrial Control Systems (ICS), and the Internet of Things (IoT), with the addition of metrics and security values.
7. Introduction of a new nomenclature for vulnerability classification:
A complete list of all changes made to the CVSS v4.0 standard, including more precise delineation through new base metrics/values and improved impact metrics, is available on this page.
The Forum of Incident Response and Security Teams (FIRST) officially announced the release of version 4.0 of the Common Vulnerability Scoring System (CVSS), 8 years after the launch of the previous version of CVSS v3. 0. FIRST introduced CVSS 4.0 in June at its 35th annual conference in Montreal, Canada.
CVSS is a unified system for assessing the risk of software vulnerabilities, which allows you to assign numerical scores or qualitative representations (for example, low, medium, high, and critical) based on the possibility of exploitation, impact on confidentiality, integrity, availability, and required privileges, where higher scores mean more dangerous vulnerabilities.
CVSS helps you prioritize your response to security threats, as it provides a consistent way to assess the impact of vulnerabilities and compare risks between different systems and software.
Here is a list of key changes made to the CVSS v4.0 standard:
1. Improved granularity of basic metrics, allowing users to get a more accurate assessment of vulnerabilities.
2. Disambiguation of estimates that are made based on the subsequent use of vulnerability assessments.
3. Simplify threat metrics to make the standard easier to understand and use.
4. Improve the effectiveness of the assessment, taking into account specific environmental safety requirements and compensatory controls.
5. Introduction of additional metrics for vulnerability assessment:
- Automation (worm exposure);
- Recovery (system resilience after exploiting a vulnerability);
- Value (meaning of the resource affected by the vulnerability);
- Vulnerability response efforts (resources needed to address the issue);
- Vendor responsiveness (the speed with which the software vendor responds to a vulnerability).
6. Additional applicability of the standard to Operational technologies (OT), industrial Control Systems (ICS), and the Internet of Things (IoT), with the addition of metrics and security values.
7. Introduction of a new nomenclature for vulnerability classification:
- CVSS-B (Base);
- CVSS-BT (Base + Threat);
- CVSS-BE (Base + Environmental);
- CVSS-BTE (Base + Threat + Environmental).
A complete list of all changes made to the CVSS v4.0 standard, including more precise delineation through new base metrics/values and improved impact metrics, is available on this page.
