Common Vulnerability Scoring System SIG: Governance Guidelines

Document Version: 1.4, May 20, 2026

Also available in PDF format.

Participation Levels

The CVSS SIG defines the following three levels of participation:

Note: FIRST membership is not required to participate at any level.

Observer

Any person or organization can become a CVSS SIG Observer. This participation level allows access to a moderated CVSS SIG mailing list (cvss-all@first.org), which is used to share the weekly meeting agenda and the previous week’s minutes, and to generally discuss issues pertinent to the CVSS SIG. Although Observers can send emails to the mailing list, moderators will reject emails with content requiring a CVSS SIG Intellectual Property Rights (IPR) agreement, e.g., suggestions of solutions to problems or any content or action that falls outside the role of a CVSS SIG Observer.

Requests to become a CVSS SIG Observer should be sent to the FIRST Secretariat at cvss@first.org.

Participant

Any organization that agrees to and signs the CVSS SIG Intellectual Property Rights (IPR) agreement can nominate people within the organization to represent it as CVSS SIG Participants. IPRs are executed by a Legal Entity, hereinafter referred to as an organization, defined as an individual or organization that is legally permitted to enter into a contract, and be sued if it fails to meet its contractual obligations. Organizations agree to the IPR on behalf of the entire organization. Individuals who do not represent an organization agree to the IPR on behalf of themselves only and agree to the contractual obligations as described by a Legal Entity above.

In cases of acquisition where one legal entity is dissolved, any IPR associated with the now dissolved entity will be rendered null, and associated voting rights transferred to the acquiring entity, upon execution of the CVSS SIG IPR.

Participants are given the ability to: send and receive emails to an unmoderated CVSS SIG mailing list; participate in on-line and face to face CVSS SIG meetings; and access the CVSS SIG’s pages on FIRST’s wiki.

When a Participant leaves an organization, he/she loses all CVSS SIG privileges. He/she can apply to participate in the CVSS SIG again but will be subject to the same joining requirements as individuals who have never been Participants.

Requests to become a CVSS SIG Participant should be sent to the FIRST Secretariat at cvss@first.org, who will review the application, and upon approval by the CVSS SIG chair(s), provide an IPR that needs to be signed before the request can be completed. The CVSS SIG chair(s) reserve(s) the right to deny applications for Participant participation in the CVSS SIG for any reason.

Voting Participant

A Participant can request that their organization be given the right to vote on CVSS SIG proposals. The Organization’s request must identify a primary named Voting Participant for the organization, and optionally a secondary named Voting Participant. Each organization whose request is accepted is given a single vote, regardless of the number of Voting Participants. Voting rights can only be requested for an organization whose Participants have collectively attended at least 50% of CVSS SIG meetings in the 30 days prior to the request. Requests to become a Voting Participant should be sent to the FIRST Secretariat at cvss@first.org by one of the Participants. Voting Participant status is calculated at the beginning of every quarter.

An organization (or individual for people not employed by an organization) is considered an Active Participant if the Participants working for that organization have collectively, over the previous calendar quarter:

*an exception to the CVSS SIG meeting attendance rule may be made for Participants in time zones where the meetings fall outside normal working hours, or other extenuating circumstances, at the discretion of the CVSS SIG Chair(s).

The set of Voting Participants is reassessed on the first working day of each calendar quarter as follows:

  1. Organizations whose Voting Participants were sufficiently active during the previous calendar quarter retain their voting rights.

  2. Organizations who gained voting rights during the previous calendar quarter retain their voting rights.

  3. Organizations whose Voting Participants were not sufficiently active during the previous calendar quarter retain their voting rights but are warned that a second quarter of insufficient activity will lead to their organization losing its voting rights. This warning takes the form of an email sent within 14 calendar days of the beginning of the calendar quarter to every Participant within the affected organization.

  4. Organizations whose Voting Participants were not sufficiently active during the previous two calendar quarters lose their voting rights, and their Voting Participants immediately become Participants. Participants at such organizations can make a new request for their organization to be given the right to vote on CVSS SIG proposals, once the criteria described earlier in this section are again met.

Irrespective of all other rules, the CVSS SIG Chair(s) reserve(s) the right to revoke Observer, Participant, or Voting Participant status from any individual who is rude, disrespectful or disruptive to any CVSS SIG contributor or to the SIG as a whole. No requests for increases in participation level will be considered from the individual until at least one year has passed from the initial revocation.

The CVSS SIG Chair(s) may also suspend or revoke Participant or Voting Participant status to any individual or organization in violation of Export Administration Regulations, including but not limited to placement on the Entity List by the U.S. Department of Commerce. Since FIRST, Inc., is a U.S.-based organization, all SIGs must abide by U.S. rules and regulations. Continued participation in the CVSS SIG by an individual or organization so identified by the U.S. Department of Commerce could result in other members in good standing being legally barred from participating in the CVSS SIG.

A Voting Participant may temporarily or permanently transfer their voting privileges to another member of their organization. Temporary transfers require a start and end date to be specified. The new Voting Participant will be added to the mailing lists if he/she is not already a member. Requests to transfer voting privileges should be sent to the FIRST Secretariat at cvss@first.org.

When a Voting Participant leaves an organization, he/she loses all CVSS SIG privileges. He/she can apply to participate in the CVSS SIG again but is subject to the same joining requirements as individuals who have never been participants. If the organization is left with no Voting Participants, no votes can be cast on its behalf until one of its Participants names a new primary Voting Participant (and optionally a secondary Voting Participant).

Requests to become a CVSS SIG Voting Participant should be sent to the FIRST Secretariat at cvss@first.org.

Terminating SIG Participation

Observers, Participants and Voting Participants that wish to reduce their level of involvement in the CVSS SIG, or stop participating altogether, should contact the FIRST Secretariat at cvss@first.org to be removed from the mailing lists and/or relinquish their voting rights.

The CVSS SIG may also move membership of inactive Participant members to Observer after a period of one year of no active meeting participation.

Dispute Resolution

Disputes with decisions made by the CVSS SIG Chair(s) must be discussed with the CVSS SIG Chair(s) first. If the dispute remains unresolved, it may be reported to the FIRST Secretariat, where it will be referred to a member of the FIRST Board for resolution.

SIG Chair Role and Responsibilities

CVSS SIG co-chairs conduct the day-to-day operations of the SIG. Each co-chair should be a participant in good standing in the SIG. When an existing co-chair decides to vacate the position, a new co-chair is suggested to the SIG by both existing co-chairs, with confirmation by the SIG voting participants. Every two years, the SIG should confirm by confidential vote process the continued appointment of each co-chair. In addition, chairs should be reviewed, confirmed, or appointed after the release of a new CVSS standard.

Responsibilities include administrative management of the SIG, assisting in resolving disputes, and setting the work agenda for the SIG business.

Administrative management duties include:

Voting

Voting is required for all CVSS SIG determinations that have a material impact on the outcome of CVSS scores. This can include, but is not limited to, metric descriptions, formula modifications, and guidance in example documents. In practice, updates to supplemental documents (Examples, FAQ, User Guide and others) do not require voting for purely informative changes that do not have outcomes on CVSS scores. Voting proposals may be made by Participants or Voting Participants. The proposal must follow the standard CVSS SIG proposal guidelines (Appendix A).

A proposal must be open for at least two weeks. Exceptions allowing a one-week proposal to fix minor changes can be accepted at the discretion of the CVSS SIG Chairs.

Only Voting Participants in effect at the time a proposal is opened for votes may vote on that proposal. Voting Participants may vote yes, no or abstain from voting.

A proposal will pass when:

A Voting Participant may change their vote while the proposal is open.

Working Groups

Created at the discretion of the co-chairs and confirmed by the SIG body. Working groups may have separate meetings and communication methods with the purpose of specific tasks, typically a proposal or document deliverable.

Constituency

Each organization requesting voting rights is categorized as being in one of the following constituencies, based on its primary business or purpose. Requests are only accepted if the organization's constituency will represent 25% or less of the total organizations with voting rights if the organization is added. When a constituency is full, at the discretion of the co-chairs, new Participants wishing to become Voting Participants must wait until changes in the existing voting constituencies change. Constituencies include:

  1. Academic & Research Institutions
  2. Financial Services & FinTech
  3. Energy & Utilities
  4. Government & Regulatory Agencies
  5. Healthcare & Life Sciences
  6. Industrial & Manufacturing
  7. Telecommunications & Network Service Providers
  8. Hardware Manufacturers
  9. Software Developers & Platform Providers
  10. Cloud & Data Center Infrastructure
  11. Cybersecurity & Privacy Firms
  12. Auditing & Compliance
  13. Automotive & Transportation
  14. Retail & E-commerce
  15. Media & Entertainment

Appendix A - CVSS SIG proposal guidelines

Proposals must be sent as an email containing the following required fields, to solicit votes from Voting Participants:

Proposals must be emailed to the CVSS IPR Member mailing list at cvss-ipr-members@first.org.

An example proposal could be as follows.

Subject: [Voting] Vote to accept new Governance Guidelines, version 1.0

All,

Please find attached a new Governance Guidelines document intended to replace the set of policy documents currently in force. It defines different levels of SIG participation and allows for a more dynamic set of SIG members, among other changes.

The vote will run from now until 17 September 2016, 17:00 PST (UTC-8).

If you vote "No" or abstain, please include an explanation of why.

Thank you,

Appendix B - CVSS SIG scoring question process

CVSS users can contact cvss@first.org with questions regarding CVSS assessments.

The CVSS SIG does not determine the correctness between different assessments. However, the CVSS SIG can provide an opinion from the SIG and guidance for clarification of the standard if questions arise during the assessment process.

The CVSS SIG discusses questions about vulnerability assessment during regular meetings. The outcome of those discussions are shared through new CVSS examples, FAQ, and updates to the CVSS specification document.