What is CVSS (Common Vulnerability Scoring System)?

Overview & Core Concepts

The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing the severity of computer system security vulnerabilities. Managed by the Forum of Incident Response and Security Teams (FIRST), CVSS assigns a numerical score ranging from 0.0 (low severity) to 10.0 (critical severity) to help security teams prioritize their patching and vulnerability management workflows.

Why It Matters for Businesses

CVSS provides a consistent, quantitative language for describing security issues across diverse platforms. By breaking down scores into Base, Temporal, and Environmental metrics, it allows organizations to distinguish between a vulnerability's theoretical threat level and its actual risk within a specific network architecture. This ensures that security budgets and patching schedules are directed toward resolving the most impactful weaknesses first.

Vulnerability Severity Classifications

CVSS scores are mapped into qualitative severity levels: Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), and Critical (9.0–10.0).

This grouping simplifies reporting to executive teams and business owners who may not understand the specific technical details of an exploit. It also allows compliance frameworks to define clear service level agreements (SLAs) for mitigation tasks based on these tiers.

The Three Metric Groups

CVSS is structured around three metric groups: Base, Temporal, and Environmental.

The Base score represents the intrinsic qualities of a vulnerability that are constant over time and across user environments, such as Attack Vector, Attack Complexity, and Confidentiality Impact. The Temporal score measures the current state of exploitability, testing status, and patch availability. The Environmental score evaluates the target organization's internal controls, system criticality, and mitigations, making it the most accurate risk representation for a business.

Implementation Best Practices

Security operations teams should avoid relying solely on the Base score. Instead, they should calculate the Environmental score to reflect internal network segmentations, system configurations, and compensating security controls. It is best practice to automate CVSS tracking through integration with vulnerability scanners and SIEM tools to continuously reprioritize vulnerabilities as new exploit code becomes public.

Malaysian Compliance & Regulatory Context

In Malaysia, CVSS scores are widely used to satisfy reporting guidelines established by BNM and NACSA. For instance, financial institutions aligning with RMiT standards are required to log, report, and remediate CVSS Critical (9.0-10.0) and High (7.0-8.9) vulnerabilities within specific, aggressive timelines (often within 48 to 72 hours for critical production bugs).