FIRST publishes updated Common Vulnerability Scoring System for worldwide security teams

July 12th, 2019 - The Forum of Incident Response and Security Teams (FIRST) has published an update of its internationally recognized Common Vulnerability Scoring System (CVSS). CVSS is a common scoring system designed to provide open and universally standard severity ratings of software vulnerabilities for the security community. Used by organizations worldwide, version 3.1 documentation is now available on the FIRST website for members and non-members to reference.

The goal of CVSS version 3.1 is to simplify and improve upon the existing CVSS version 3.0 standard allowing for easier adoption by the security community. Updates include clarification of the definitions and explanation of existing base metrics such as Attack Vector, Privileges Required, Scope, and Security Requirements. A new standard method of extending CVSS, called the CVSS Extensions Framework, allows a scoring provider to include additional metrics and metric groups while retaining the official Base, Temporal, and Environmental Metrics.  The additional metrics allow industry sectors such as privacy, safety, automotive, healthcare, etc., to score factors that are outside the core CVSS standard. Finally, the CVSS Glossary of Terms is expanded and refined to cover all terms used throughout the CVSS version 3.1 documentation.

“FIRST is grateful for input from industry subject-matter experts in an effort to enhance and refine CVSS to be more applicable to the vulnerabilities, products, and platforms being developed over the past 15 years and beyond. The primary goal of CVSS is to provide a deterministic and repeatable way to score the severity of vulnerabilities across many different constituencies,” stated CVSS SIG co-Chair of FIRST.


Founded in 1990, the Forum of Incident Response and Security Teams (FIRST) consists of internet emergency response teams from more than 360 corporations, government bodies, universities and other institutions across 78 countries in the Americas, Asia, Europe, Africa, and Oceania. It promotes cooperation among computer security incident response teams. For more information, visit:

Media Contacts

Nicole Chan
Cred Communications Ltd
Tel:           +852 9027 1404 | +852 2110 3519