CVSS scores are widely relied upon by enterprises to gauge how important it is to prioritize a vulnerability. CVSS scores provide a convenient means by which vulnerabilities can be compared for purposes of prioritization. Despite this convenience, there are a few pitfalls that can lead an organization to be misled by CVSS scores.
The attractiveness of CVSS scores is quite apparent. The CVSS framework, now on its third major version, is maintained by a nonprofit organization (Forum of Incident Response and Security Teams), which has over 500 member organizations globally. Scores are based on an open, standardized methodology that provides a simple (0-10) numeric indicator of the severity of a vulnerability. Because the scores are published in NIST’s National Vulnerability Database (NVD), they are widely accessible.
A complete CVSS score is comprised of three “Metric Groups” – Base, Temporal, and Environmental.