Vulnerability scoring system now extendable to help better serve a wide range of industries

An updated version of the Common Vulnerability Scoring System (CVSS) has been introduced, complete with new functionality to make it easier for security professionals to measure threats faced by critical infrastructure sectors, among other improvements.

Introduced in 2005, CVSS is used to help measure the potential impact of a security vulnerability by providing a score that denotes its severity.

The latest update, version 3.1, was announced last week with the intention of simplifying and expanding on previous models.

“The goal of CVSS version 3.1 is to clarify and improve upon the existing CVSS version 3.0 standard without introducing new metrics or metric values, allowing for frictionless adoption of the new standard by both scoring providers and scoring consumers alike,” a spokesperson for the open source framework told The Daily Swig.

“Updates to the CVSS version 3.1 specification include clarification of the definitions and explanation of existing base metrics such as attack vector, privileges required, scope, and security requirements.”

Extended scope

The update also introduces a new standard of extending CVSS, called the CVSS Extensions Framework.

This framework includes additional metrics used to score vulnerabilities in industry sectors such as privacy, safety, automotive, and critical infrastructure sectors such as healthcare, which are usually outside of the core remit.

FIRST, the curator of CVSS, consulted with leading experts from across industries to formulate the new guidelines.

“Over the past four years, the FIRST CVSS SIG [Special Interest Group] held weekly meetings attended by over 30 members from more than 15 different organizations spanning several industry sectors, including academia, banking, energy, government, healthcare, industrial controls, and hardware, software, and networking technology,” the spokesperson said.

“Proposals were solicited from all active participants, vetted and peer-reviewed during the weekly meetings, and officially submitted for voting to all voting participants. 

“A simple majority of the voting members was required for approval, although most often the votes were unanimous.”

A more detailed account of the scope and definitions included in CVSS version 3.1 can be found on the FIRST website.

RELATED FIRST calls for enhanced collaboration among incident response teams