This article is more than 1 year old

Security's revamped index of pain readies for release

Comments sought on draft Common Vulnerability Scoring System 3.0 bug rating scheme

The great unwashed has been afforded an opportunity to comment on a new scheme for classifying the severity of infosec vulnerabilities issued by the National Institute of Standards and Technology.

The Common Vulnerability Scoring System (CVSS) is a pain-assessment index that offers a one-to-ten scale to describe vulnerabilities.

Scores range up to 10 with severities high graded 7 to 10, medium as 4 to 6.9, and low as 0 to 3.9.

The first version of the CVSS was launched in 2004. Work began on version three in 2012 and is expected to be completed this year.

Co-chair Max Heitman said in an update that developers and bug reporters should use the new scoring system now, but only publish scores using the old rating system.

"As with preview release 1, it is our hope that teams will fully utilize access to this preview and begin to produce CVSS v3.0 scores alongside whatever other scoring system they are using today," Heitman said.

"When the completed CVSS v3.0 standard is approved, organisations that have stored scores produced via CVSS v3.0 previews and can use that data to offer official CVSS v3.0 scoring data.

CVSS scores offer a handy way to priorities triage targets, more so now that the revised scoring system offers more granular insight into the exploitability of a bug, its remediation level, collateral damage, and confidence into the source of the vulnerability report.

The second preview of the new scheme updated the point of attack where a CVSS should be placed - at the point that security, integrity and availability was impacted - and explained how bugs touching multiple systems should be handled, among other improvements.

Preview documents can be downloaded and comments can be sent to the special interest group by emailing before February 28. ®

More about


Send us news

Other stories you might like