Jump to content

Common Vulnerability Scoring System

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by RJFJR (talk | contribs) at 22:24, 24 November 2006 (rewrite to clear CV). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of computer system security vulnerabilities. It attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilites, so efforts can be prioritized. The score is based on a series of measurements (called metrics) based on expert assessment.

Metrics

The CVSS assessment measures (against a metric) three areas of concern:

  1. Base Metrics for qualities intrinsic to a vulnerability.
  2. Temporal Metrics for characteristics that evolve over the lifetime of vulnerability.
  3. Environmental Metrics for characteristics of a vulnerability that depend on a particular implementation or environment.

Base Metrics

  1. Is the vulnerability exploitable remotely (as opposed to only locally).
  2. How complex must an attack be to exploit the vulnerability?
  3. Is authentication required to attack?
  4. Does the vulnerabilty expose confidential data?
  5. Can attacking the vulnerability damage the integrity of the system?
  6. Does it impact availability of the system?

Tempral Metric

  1. How complex (or how long will it take) to attack the vulnerability.
  2. How hard (or how long) will it take to remediate the vulnerability.
  3. How certain is the vulnerability's existence.

Environmental Metric

  1. Potential to cause collateral damage
  2. How many systems (or how much of a system) does the vulnerability impact.


Retrieved from "https://en.wikipedia.org/w/index.php?title=Common_Vulnerability_Scoring_System&oldid=89905019"