New CVSS 4.0 helps us evaluate threats better

The Forum of Incident Response and Security Teams (FIRST) has officially released CVSS v4.0, the next generation of its Common Vulnerability Scoring System standard. It now has different categories to help us evaluate threats better and introduces a new way to look at Base scores, along with considering Threat and Environmental factors.

For those who don’t know: CVSS is a standardized framework for assessing software security vulnerabilities’ severity used to assign numerical scores or qualitative representation (low, medium, high, critical). These scores are based on exploitability, impact on confidentiality, integrity, availability and required privileges. The framework helps to prioritize responses to security threats as it provides a consistent way to evaluate the impact of vulnerabilities and to compare risks across different systems and software.

The 4.0 version of CVSS has the following adjustments compared to 3.0:

1. Details matter: New metrics have been added to give a clearer picture of a vulnerability's nature and the level of user interaction required.
2. Clearer Impact Disclosure: Now it's easier to gauge the impact on both the vulnerable system and any other systems that might be affected.
3. Simplified Threat Metrics: The update makes it straightforward to understand the threat level, by simplifying metrics and removing some old ones.
4. New Supplemental Metrics: These extra metrics like Safety, Automatable, and Recovery help in understanding different aspects of a vulnerability that weren’t covered before.
5. Special Focus on Safety: There's additional emphasis on evaluating the safety aspect, especially in operational technology and industrial control systems.

With CVSS 4.0 the vulnerability assessment game is changing, making it easier for us to tailor the evaluation process according to the client specific needs.