In the world of cybersecurity, understanding the severity of vulnerabilities is crucial. This is where CVSS (Common Vulnerability Scoring System) comes into play. But before we dive into CVSS 4.0, let’s take a quick journey through its evolution.

What is CVSS?

CVSS, the Common Vulnerability Scoring System, is a standardized method for assessing and rating the severity of software vulnerabilities. It provides a common language for security professionals to communicate and prioritize vulnerabilities effectively.

Why is it Required?

In the prehistoric times of cybersecurity (pre-2005) (hehe 😛), various vendors used custom, incompatible rating systems for vulnerability severity. Recognizing the need for standardization, the National Infrastructure Advisory Council (NIAC) set out to create CVSS.

In February 2005, CVSS version 1 was born, but it faced criticism due to ambiguities in metric definitions. Subsequently, in June 2007, CVSS version 2 was introduced, providing a more refined and comprehensive framework.

CVSS version 3.0, launched in June 2015, introduced the concept of “Scope” and made terminology updates. In June 2019, CVSS version 3.1 clarified and improved upon the previous version.

And now, in 2022, CVSS version 4.0 has arrived, emphasizing the importance of using Threat Intelligence and Environmental metrics for accurate scoring. It introduces new concepts like “Automatable,” “Recovery,” and “Vulnerability Response Effort.”

Challenges and Critique of CVSS 3.1

While CVSS has been instrumental in assessing vulnerabilities, it’s not without its challenges. It’s often criticized for not providing real-time threat and supplemental impact details, and it primarily applies to IT systems, neglecting health, human safety, and industrial control systems. Moreover, scores published by vendors tend to be on the higher side. This can lead to unnecessary alarm or confusion when organizations assess their vulnerabilities.

While temporal metrics are part of the CVSS 3.1 framework, they don’t always effectively impact the final CVSS score. This can result in scores that don’t reflect the real-world impact. Some users find the CVSS scoring formula overly complicated and counterintuitive. The complexity of the formula can be a barrier for…