FIRST provides the “Common Vulnerability Scoring System," which many people and organizations use to rate the severity of security vulnerabilities. However, some people misunderstand the scope of CVSS. In this article, we debunk three myths regarding CVSS.
Always stay in the loop!
Subscribe to our RSS/Atom feed.
Myth 1: CVSS is about security risks
Quite often, we read something like, “The CVSS base score of the security vulnerability is 9.8, so there is a very high risk that somebody exploits it.” Contrary to this, CVSS measures the severity of a security vulnerability.
Risk assessment—in its simplest form—means you determine the likelihood that an unwanted scenario occurs and its impact (what happens if the scenario occurs?). The CVSS base score doesn’t tell you about the likelihood or impact.
The official User Guide states, “Concerns have been raised that the CVSS Base Score is being used in situations where a comprehensive assessment of risk is more appropriate. … a comprehensive risk assessment system should be employed that considers more factors than simply the CVSS Base Score. Such systems typically also consider factors outside the scope of CVSS such as exposure and threat.”
Use the CVSS base score to compare the severity of distinct security vulnerabilities. Don’t use it to derive risks.
Myth 2: CVSS is an accurate science
At some point, somebody calculates the CVSS base score, which then becomes part of security advisories.
Some apparent issues exist:
- The score solely relies on the expertise of this individual or organization. The individual may overrate or underrate certain metrics, leading to a too high or too low score.
- The score doesn’t consider your environment. The actual likelihood of being exploited and the possible impact may be different for distinct systems.
- Rating the single metrics (e.g., attack complexity or confidentiality impact) is subjective as no absolute values exist.
The CVSS score is an estimation. It isn’t an exact science. Understand its limited scope and use the environmental metrics for customization.
Myth 3: Focusing on the most critical vulnerabilities is sufficient
Some organizations set an arbitrary threshold (e.g., CVSS base score greater than 7) and then only address security vulnerabilities exceeding this threshold.
However, leaving 20 security vulnerabilities with a CVSS base lower than 7 unaddressed may be worse than fixing one vulnerability with a base score of 9. Ignoring the remaining vulnerabilities may come to a bad end as the base score on itself is already inaccurate.
Vulnerability management goes hand in hand with risk management. Don’t set an arbitrary threshold but address all vulnerabilities. Prioritize security vulnerabilities in exposed systems. For instance, fix a critical vulnerability in your public web server software immediately. However, fixing the same vulnerability in a local development setup might be less crucial as the likelihood of being exploited is lower for this specific setup.
If you read security advisories and talk about security vulnerabilities, you should know the limits of CVSS and its meaning. The Common Vulnerability Scoring System doesn’t replace proper risk management, and the simple number we all talk about might not be as accurate as you assume.
- Common Vulnerability Scoring System v3.1: Specification Documentexternal link
- Common Vulnerability Scoring System v3.1: User Guideexternal link