Common Vulnerability Scoring System Version 4.0

CVSS version 4.0 is the next generation of the Common Vulnerability Scoring System standard.

Some of the changes incorporated into CVSS v4.0 include:

• Reinforce the concept that CVSS it not just the Base score
  • New nomenclature has been added to identify combinations of Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE)
• Finer granularity through the addition of new Base metrics and values:
  • New Base metric: Attack Requirements (AT)
  • New Base metric values: User Interaction (UI): Passive (P) and Active (A)
• Enhanced disclosure of impact metrics:
  • Scope retired
  • Explicit assessment of impact to Vulnerable System (VC, VI, VA) and Subsequent Systems (SC, SI, SA)
• Temporal metric group renamed to Threat metric group
  • Threat metrics simplified and clarified
  • Remediation Level (RL) and Report Confidence (RC) retired
  • Exploit "Code" Maturity renamed to Exploit Maturity (E) with clearer values
• New Supplemental Metric Group to convey additional extrinsic attributes of a vulnerability that do not affect the final CVSS-BTE score
  • Safety (S)
  • Automatable (A)
  • Recovery (R)
  • Value Density (V)
  • Vulnerability Response Effort (RE)
  • Provider Urgency (U)
• Additional focus on OT/ICS/Safety
  • Consumer-assessed Safety (MSI:S, MSA:S)
  • Provider-assessed Safety through Safety (S) supplemental metric

More information about what's new in CVSS v4.0 is available in PDF format here.

The CVSS v4.0 Public Preview comment period began on June 8, 2023, and runs through July 31, 2023. All feedback will be reviewed and addressed by September 30, 2023 (previously August 31, 2023), with a target official publication date of October 31, 2023.

Comments, questions, concerns, and other feedback may be sent to cvss@first.org. This is a limited distribution mailing list. All comments will be anonymized before being reviewed and considered.