After announcing the upgradation of the CVSS 3.0 scoring system in June, this week, FIRST officially released the CVSS 4.0. This new standard will facilitate better severity scoring of vulnerabilities discovered henceforth.
CVSS 4.0 Is Officially Released
According to the recent press release from FIRST (Forum of Incident Response and Security Teams) the 4th iteration of the CVSS scoring standard is now public.
Identified as CVSS 4.0, this iteration of the CVSS standard will “provide the highest fidelity of vulnerability assessment for both industry and the public,” according to FIRST.
Specifically, the new release has simplified threat metrics, offers an effective environment-specific assessment of vulnerabilities, compensates controls, and removes downstream scoring ambiguity.
Moreover, it also includes other scoring metrics according to the prevalent threat trends, such as Automable (wormability), Recovery, Value Density, Vulnerability Response Effort, and Provider Urgency. With these improvements, CVSS 4.0 also becomes applicable to the OT/ICS/IoT vulnerabilities.
This new iteration also comes with the following nomenclature.
- CVSS-B: CVSS Base Score
- CVSS-BT: CVSS Base + Threat Score
- CVSS-BE: CVSS Base + Environmental Score
- CVSS-BTE: CVSS Base + Threat + Environmental Score
What Is CVSS? Quick Overview
CVSS (Common Vulnerability Scoring System) is a free, open security standard for scoring the severity of security vulnerabilities. With an easy scoring system, this standard helps the security community quickly identify and prioritize vulnerabilities based on the threat severity.
While low-severity vulnerabilities are seldom considered a serious issue, vulnerabilities with high scores (like 9.0 and higher) are usually deemed critical severity and need immediate attention.
The first CVSS version came out in 2005, and since then, it has gone through several improvements according to the rising threats. The last release in use, CVSS 3.0, surfaced online in 2015. And now, after eight years, CVSS 4.0 has arrived with further improvements to cater to the contemporary security demands.
Let us know your thoughts in the comments.