What is CVSS?
Common Vulnerability Scoring System commonly known as CVSS is a framework for scoring vulnerabilities to categories them according to their characteristics and impact, which in turn help us understand which vulnerability need immediate action and which can be scheduled for later to be remediated as per our enviornment.
The scoring of the vulnerability is based on its characteristic and severity and is calculated in range of 0.0 to 10.0, where 0 is the lowest and 10 is the highest rating.
CVSS is maintained by FIRST(https://www.first.org/cvss/) and the latest version of it is version 3.0 which was released on June 2015.
Over the years there have been various version of CVSS like version 1,2 and the latest one 3. Where version 2 was used most widely throughout the industry before version 3 was released
Using a framework like CVSS have following benefits:
• Standardize vulnerabilities scoring system which makes the vulnerability assessment in any area of the organization easy.
• Transparency in scoring system due to it being an open-source framework, hence making it easy for any body to understand the scoring system.
• Risk prioritization, since it helps separate the high impact risks from the low and medium,. It is faster and easier to concentrate on the critical vulnerabilities and their fix.
A little dip in CVSS methodology:
CVSS made of 3 metric groups, following are the group names and their functions:
Base Metric Group:The constant characteristics of the vulnerability, which do not change in any environment or over time
Temporal Metric Group: These characteristics change over time but not over environment
Environmental Metric Group: Vulnerability characteristic specific to the environment
For more in depth study of under the hood of the framework please refer the links in the reference section.
how to calculate CVSS score
The documentation of the CVSS covers the process of calculating the score in very detailed way. Or alternatively FIRST organization have an excellent tool on their website which makes the job of calculating CVSS score easy(https://www.first.org/cvss/calculator/3.0). All you have to do is choose the characteristics of the vulnerability like Attack vector, scope etc and it will calculate the CVSS score for you.
FIRST offers a free module to learn how to use and calculate CVSS score for your vulnerability. It can be found here.
In the end it is worth spending some time understanding how CVSS scoring works especially if you work in the vulnerability regularly. Not only it will help you identify what kind of vulnerabilities impact your environment the most, but also with the in-depth characteristics of the environment.
All the information for this article was gathered from the reference links mentioned below. Have a look on them for detailed study of the subject.
Being the first post of the site i tried to keep it small and easy to understand. Any improvement is welcome.