Anyone in cybersecurity who has had to deal with vulnerabilities in technology systems has inevitably run into the Common Vulnerability Scoring System (CVSS). Whether or not the name is instantly recognizable, phrases determining vulnerabilities as “critical” or “high” or the like resonate across the industry. CVSS has been used to provide a standardized method to discuss the characteristics of a vulnerability and ultimately produce a numerical score to reflect its severity as well as a qualitative metric (low, medium, or high) to provide a relative gauge for organizations managing vulnerabilities in their systems and environments.
The system has existed since 2005 and achieved widespread adoption and has become the definitive vulnerability scoring system utilized by the NIST National Vulnerability Database (NVD). It has been leveraged by leading vulnerability management tooling and vendors.
