Common Vulnerability Scoring System (CVSS-SIG)

New version of Common Vulnerability Scoring System released

Seville Spain June 20, 2007: Millions of computer users worldwide will enjoy more secure virtual experiences and transactions with the advent today of CVSSv2 the latest version of the Common Vulnerability Scoring System.

The release of version 2 was announced today by the Forum of Incident Response and Security Teams (FIRST) and the Common Vulnerability Scoring System-Special Interest Group (CVSS-SIG).

CVSS provides a universal open and standardized method for rating IT vulnerabilities.

Over a dozen members of the CVSS-SIG collaborated extensively through 2006 and 2007 to revise and improve CVSS v1 by testing and re-testing hundreds of real-world vulnerabilities. CVSS v2 represents the collective feedback and experience of many of the early adopters and security professionals of the CVSS-SIG.

We feel CVSS v2 addresses many of the early issues of CVSS v1 brought up both by consumers and the SIG. We are excited to announce this new version and are looking forward to using it, said Gavin Reid, Chair of the CVSS SIG.

CVSS v2 is a significant improvement over the original version. It reduces inconsistencies, provides additional granularity, and more accurately reflects the wide variety of vulnerabilities.

We believe that CVSS v2 demonstrates a new level of maturity in standardized vulnerability scoring, added Steve Christey, of the MITRE Corporation, who edits Common Vulnerabilities and Exposures (CVE). We wanted to achieve the best possible balance of accuracy, flexibility and usability.

Another member of the programme team, Sasha Romanosky of Carnegie Mellon University, said that CVSSv2 is even better at communicating the true properties of IT vulnerabilities for end-users, and for commercial and non-profit security organizations.

As a part of the U.S. governments SCAP (Security Content Automation Protocol) CVSS v2 will be used in standardizing and automating vulnerability management for many millions of computers, eventually rising to hundreds of millions.

CVSS v2 represents the culmination of CVSS-SIG efforts to test, correct, and improve CVSS.

Nevertheless, the CVSS-SIG continues constantly to evaluate the standard by analyzing and scoring old and new vulnerabilities, examining feedback received from CVSS users, and fine-tuning the mathematical equations.

About CVSS

CVSS is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability. For additional information on CVSS v2, please see http://www.first.org/cvss and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2


About FIRST and CVSS-SIG

FIRST, the world's leading incident-handling forum, is an international confederation of trusted computer incident response teams who cooperatively handle computer security incidents and promote incident prevention programs. FIRST sponsors and supports the CVSS-SIG, a diverse group of security professionals who have a keen interest in security vulnerabilities and use CVSS in their daily work. In addition, FIRST hosts a special interest group to update and promote CVSS and provides a central repository for CVSS documentation.


Chair

Seth Hanford (TIAA-CREF)