FIRST announces availability of new Common Vulnerability Scoring System (CVSS) release

Third version aims to make the system more applicable to modern concerns

Third version aims to make the system more applicable to modern concerns

10 June 2015The Forum of Incident Response and Security Teams (FIRST) has today announced the availability of version 3 of the Common Vulnerability Scoring System (CVSS). The new system is the latest update of the universal open and standardized method for rating IT vulnerabilities and determining the urgency of response. Version 3 of CVSS has been under development for three years, with work initiated at the FIRST Conference in Malta in June 2012.

CVSS version 3 sets out to provide a robust and useful scoring system for IT vulnerabilities that is fit for the future. Its development has been overseen by the CVSS Special Interest Group (SIG) with input from representatives of a broad range of industry sectors, from banking and finance to technology and academia.

The updated version includes enhancements such as: the promotion of consistency in scoring, the replacement of Scoring Tips in order to more clearly guide end users of CVSS, and consideration of the system in order to make it more applicable to modern concerns. More information on the standard is available at

Seth Hanford, co-chair of the FIRST CVSSv3 working group said "We hope that CVSS version 3 is clear, consistent and repeatable, and able to support the work of those who seek to understand, describe, compare, or evaluate IT vulnerabilities via a common scoring system."

"Our aim has been to provide a system that is flexible enough to handle both the challenges that have emerged in vulnerability scoring in recent years, as well as those that we will see in the years to come."


Harry Saunders
Four Communications
Tel: +44 (0)20 3697 4329


Founded in 1990, FIRST consists of internet emergency response teams from more than 200 corporations, government bodies, universities and other institutions from the Americas, Asia, Europe, Africa and Oceania. It leads the world's fight-back against cyber-crime, sabotage and terrorism, and promotes cooperation among computer security incident response teams and law enforcement agencies. For more information, visit:

Please download the full release at first-press-release-20150610.pdf.