CVSS (Common Vulnerability Scoring System)

The Common Vulnerability Scoring System (CVSS) is an open framework for assessing and communicating the severity of software vulnerabilities. It produces a numerical score from 0 to 10, where 10 is the most severe, along with a severity rating: None (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0).

CVSS v3.1 (and the newer v4.0) calculates scores based on three metric groups: Base metrics (attack vector, complexity, privileges required, user interaction, scope, impact on confidentiality/integrity/availability), Temporal metrics (exploit code maturity, remediation level, report confidence), and Environmental metrics (organization-specific modifiers).

CVSS scores are essential for vulnerability prioritization. Most organizations use them to set SLAs for remediation — critical vulnerabilities might require a 24-hour fix, while low-severity issues may have a 90-day window.

How APVISO tests for this: APVISO assigns CVSS-aligned severity ratings to all discovered findings, considering attack vector, complexity, and impact. This helps security teams prioritize remediation based on industry-standard severity assessments.