Common Vulnerability Scoring System SIG

Mission

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

CVSS is a published standard used by organizations worldwide, and the SIG's mission is to continue to improve it.

Goals/Deliverables

CVSS is currently at version 3.0. Links on the left lead to CVSS version 3.0's specification and related deliverables.

A self-paced on-line training course explains CVSS v3.0 and assumes no prior CVSS experience. It is based on FIRST's open training platform.

Current initiatives

The CVSS Special Interest Group (SIG) is currently working on individual improvements that will form the basis of the next version of the CVSS standard. The SIG is composed of representatives from a broad range of industry sectors, from banking and finance to technology and academia. Organizations and individuals interested in joining the SIG, or observing progress via the CVSS SIG mailing lists, should email first-sec@first.org.

A list of potential improvements targeted at CVSS 3.next has been created based on input and feedback from various sources. The current list of potential improvements can be found here.