The Forum of Incident Response and Security Teams (FIRST) has officially announced the release of version 4.0 of the Common Vulnerability Scoring System (CVSS), coming eight years after the previous version, CVSS v3.0, was launched. FIRST unveiled CVSS 4.0 at its 35th annual conference in Montreal, Canada, in June.
The Forum of Incident Response and Security Teams (FIRST) has officially announced the release of version 4.0 of the Common Vulnerability Scoring System (CVSS), coming eight years after the previous version, CVSS v3.0, was launched. FIRST unveiled CVSS 4.0 at its 35th annual conference in Montreal, Canada, in June
CVSS is a standardized framework for assessing the severity of software vulnerabilities, assigning numerical scores or qualitative labels (such as low, medium, high, and critical) based on factors such as exploitability, impact on confidentiality, integrity, availability, and required privileges, with higher scores indicating more severe vulnerabilities.
CVSS aids in the proper prioritization of responses to security threats, providing a consistent method for assessing the impact of vulnerabilities and comparing risks across different systems and software.
Here is a list of key changes incorporated into the CVSS v4.0 standard:
- Enhanced granularity of base metrics allows for a more accurate assessment of vulnerabilities.
- Elimination of ambiguities in the ratings based on the subsequent use of vulnerability scores.
- Simplification of threat metrics to facilitate understanding and utilization of the standard.
- Increased assessment efficiency by considering specific security requirements of the environment and compensatory controls.
- Introduction of additional metrics for vulnerability assessment:
- Automation (susceptibility to worms);
- Recovery (system resilience post-exploit);
- Value (significance of the affected resource);
- Efforts to respond to the vulnerability (resources required for mitigation);
- Vendor response times (speed at which the software vendor addresses the vulnerability).
- Expanded applicability of the standard to Operational Technologies (OT), Industrial Control Systems (ICS),
- Internet of Things (IoT), with the addition of metrics and security values.
- Introduction of a new nomenclature for classifying vulnerabilities:
- CVSS-B: CVSS Base Score
- CVSS-BT: CVSS Base + Threat Score
- CVSS-BE: CVSS Base + Environmental Score
- CVSS-BTE: CVSS Base + Threat + Environmental Score
The complete list of all changes introduced in the CVSS v4.0 standard, including more precise differentiation through new base metrics/values and improved impact metrics, is available on this page.