The Forum of Incident Response and Security Teams (FIRST) has officially announced CVSS v4.0, the next generation of the Common Vulnerability Scoring System standard, more than eight years after the release of CVSS v3.0 in June 2015.
CVSS essentially provides a way to capture the principal technical characteristics of a security vulnerability and produce a numerical score denoting its severity. The score can be translated into various levels, such as low, medium, high, and critical, to help organizations prioritize their vulnerability management processes.
One of the core updates to CVSS v3.1, released in July 2019, was to emphasize and clarify that "CVSS is designed to measure the severity of a vulnerability and should not be used alone to assess risk."
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.Join Now
CVSS v3.1 has also attracted criticism for a general lack of granularity in the scoring scale and for failing to adequately represent health, human safety, and industrial control systems.
The latest revision to the standard aims to address some of these shortcomings by providing several supplemental metrics for vulnerability assessment, such as Safety (S), Automatable (A), Recovery (R), Value Density (V), Vulnerability Response Effort (RE), and Provider Urgency (U).
It also debuts a new nomenclature to enumerate CVSS scores using a combination of Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE) severity ratings.
The idea, FIRST said, is to "reinforce the concept that CVSS is not just the Base score," adding "this nomenclature should be used wherever a numerical CVSS value is displayed or communicated."
"The CVSS Base Score should be supplemented with an analysis of the environment (Environmental Metrics), and with attributes that may change over time (Threat Metrics)," it further noted.