The Forum of Incident and Security Response Teams (FIRST) has officially announced the release of the new version 4.0 of the Common Vulnerability Scoring System (CVSS). This release comes 8 years after the launch of the previous version, CVSS V3.0. FIRST unveiled CVSS 4.0 in June during its 35th annual conference in Montreal, Canada.
CVSS is a unified system used to assess the level of danger posed by vulnerabilities in software. It assigns numeric values or qualitative representations such as low, medium, high, and critical to vulnerabilities based on their potential impact on confidentiality, integrity, accessibility, and required privileges. Higher point values indicate more dangerous vulnerabilities.
By providing a consistent way to assess vulnerability effects and compare risks across different systems and software, CVSS helps prioritize security response efforts.
The new CVSS V4.0 standard incorporates several key changes, including:
- Improved detailed basic metrics for more accurate vulnerability assessment.
- Elimination of ambiguity in assessments made based on subsequent vulnerability evaluations.
- Enhanced assessment efficiency that considers specific environmental security requirements and compensatory controls.
- Introduction of additional metrics for evaluating vulnerabilities:
- Automation (exposure to worms)
- Restoration (system stability after exploiting a vulnerability)
- Value (significance of the affected resource)
- Effort to respond to vulnerabilities (required resources for remediation)
- Supplier’s efficiency (speed of supplier’s response to vulnerability)
Furthermore, the new standard also extends its applicability to operational technologies, industrial control systems, and the Internet of Things (IoT). With the increasing number of IoT devices being used by consumers, such as smart vehicles, smart home systems, wearable devices, medical devices, and remotely monitored devices, CVSS V4.0 aims to provide a comprehensive framework for assessing vulnerabilities in these technologies.