CVSS Scores are numeric representations of the severity of a vulnerability. CVSS scores are composed of three sub metric groups – CVSS Base Metrics, CVSS Temporal Metrics, and CVSS Environmental Metrics. In most cases, the CVSS score reported in the NIST NVD is only the Base Score. Strictly speaking, the Base Score should not change over time, but that isn’t always the case. Both the Temporal (as the name would imply) and the Environmental scores are expected to change as time goes on.
Here are the 3 reasons why CVSS scores change over time:
- CVSS Base Score changes – Base scores are meant to represent attributes inherent in a vulnerability itself – things like attack complexity and privileges required. That said, while CVSS scores are understood to be objective measures of severity, in actuality, there is a huge amount of subjectivity in the scores, requiring skilled assessors to gauge where a particular vulnerability falls in a certain category. If another skilled assessor looks at a vulnerability, she/he might see things differently, and alter the score. Additionally, many vulnerabilities are reported as soon as they are found, with the vendor of the impacted system weighing in later. The additional data that the vendor supplies might alter the scoring as well.
- CVSS Temporal Score changes – Temporal metrics will change over time through actions taken by both the good guys and the bad guys. For example, when a vendor creates a software patch for the vulnerability and makes it widely available, the Remediation Level will improve, lowering the Temporal score. On the other hand, if adversaries create easy-to-use exploit code and distribute it widely, Exploit Code Maturity will move to High and increase the Temporal Score.
- CVSS Environmental Score changes – Environmental scores are specific to each organization leveraging the CVSS system, and will change as the organization’s environment changes. For example, the organization might decommission impacted software. Or they might introduce new compensating controls in their environment, which reduces the likelihood that the vulnerability can be exploited.
Whatever the reason, CVSS Scores are likely to change over time, so it’s important to build a risk-based vulnerability management program using tools that operate continuously, and in real-time, always reflecting the current state of risk in your environment. It’s also critically important that you understand the limitations of CVSS scores and why you should stop using CVSS scores to measure risk.