A new version of the Common Vulnerability Scoring System (CVSS 4.0) was made generally available by the Incident Response Security Team Forum (FIRST) on July 13, 2023.
CVSS is an open industry standard for rating the severity of security vulnerabilities in computer systems and helps organizations prioritize their vulnerability management processes. It captures the key characteristics of vulnerabilities and provides a way to generate a numerical score that indicates their severity.
Read more: #HowTo: Create an Effective Patch Management Program
Numerical scores are also expressed as a qualitative severity rating (Low, Medium, High, Critical).
Version 4.0 is currently in public preview for comments, which ends on July 31, 2023. All feedback will then be considered and addressed by August 31, 2023, initially he is aiming for an official launch on October 1, 2023.
The new version is intended to address criticisms of the current CVSS version 3.1 published in June 2019. This includes:
- Insufficient granularity of basic metrics
- This standard applies only to IT systems and not to systems such as OT, ICS and IoT.
- Scores published by vendors are often high or critical (+7.0)
- Temporal metrics do not effectively influence the final CVSS score
- Overly Complex Threat Metrics
CVSS 4.0 aims to address these issues by introducing the following changes:
- Reinforcing the concept that CVSS is more than just a base score
- Finer granularity with the addition of new base metrics and values
- Enhanced disclosure of impact indicators
- Temporal Metric Group renamed to Threat Metric Group
- A new supplemental metric group that conveys additional external attributes of vulnerabilities that do not affect the final CVSS-BTE score
- More Focus on OT/ICS/Safety Systems
FIRST CEO Chris Gibson commented on the new version: “The CVSS system has evolved rapidly over the past 18 years, with each version building on its ability to defend against cybercrime.
“I am very proud of the tremendous effort and dedication of the CVSS Special Interest Group (SIG) that went into producing version 4.0. It’s timely.
“Our goal as a membership organization is to empower our members and the sector, to demonstrate leadership and to continually improve the way we work together to protect people around the world from cyberattacks. is.”
Background and development of CVSS
The first version of this standard (CVSS v1) was introduced in February 2005 by a small group of pioneers who recognized the need to standardize vulnerability measurements across software and platforms. The non-profit organization FIRST appointed him in April 2005 as administrator of his CVSS for future development.
Prior to 2005, vendors were forced to use custom, incompatible rating systems to define the severity of vulnerabilities.
CVSS v1 was extensively tested by a dozen FIRST members of CVSS-SIG in 2006-2007, leading to the development of v2 in June 2007. This has reduced discrepancies and increased granularity along with other improvements over the original standard.
Version 3.0 was published in June 2015 and introduced the concept of “scope” to handle scoring vulnerabilities that exist in one software component but affect another software, hardware, or network component. I was.
Finally, 3.1 was released in June 2019 to clarify the concepts and improve the overall usability of the standard. However, no new indicators or values were introduced.
