The Common Vulnerability Scoring System (CVSS) is the global industry standard for assessing the severity of computer system security vulnerabilities. It attempts to establish a measure of how severe a vulnerability is so that prioritization can be done.
The Architecture of CVSS
CVSS is composed of three metric groups: Base, Temporal, and Environmental.
1. Base Metrics
Represents the intrinsic qualities of a vulnerability that are constant over time and user environments.
This is the score most commonly referenced (e.g., "CVE-2023-XXXX has a score of 9.8").
- Attack Vector (AV): Network, Adjacent, Local, Physical.
- Attack Complexity (AC): Low, High.
- Privileges Required (PR): None, Low, High.
- User Interaction (UI): None, Required.
- Scope (S): Unchanged, Changed (The ability to impact resources beyond the vulnerable component).
- CIA Triad: Confidentiality, Integrity, Availability Impact (None, Low, High).
2. Temporal Metrics
Reflects the characteristics of a vulnerability that change over time.
- Exploit Code Maturity: Is there functional exploit code available?
- Remediation Level: Is there a patch or workaround?
- Report Confidence: Is the vulnerability confirmed?
3. Environmental Metrics
Customizes the score based on your specific environment.
- Modified Base Metrics: Adjusting the base metrics if your environment mitigates them (e.g., an "Attack Vector: Network" bug might be "Local" if behind a firewall).
- Confidentiality/Integrity/Availability Requirements: How critical is the affected asset?
CVSS v3.1 Logic Flow
The scoring logic is complex, but fundamentally it asks:
- Can I reach it? (Attack Vector)
- Is it hard to hack? (Complexity + Privileges)
- What breaks? (Confidentiality + Integrity + Availability)
A score of 9.8 (Critical) usually means:
- Network reachable.
- Low complexity (easy).
- No privileges required.
- High impact on C, I, and A.
Comparison: CVSS vs. DREAD vs. STRIDE
It is crucial to understand that these frameworks serve different stages of the security lifecycle.
| Feature | CVSS (v3.1) | DREAD | STRIDE |
|---|---|---|---|
| Primary Use | Scoring | Prioritization | Identification |
| Stage | Post-Discovery / Patching | Triage / Backlog Management | Design / Architecture |
| Output | Severity Score (0-10) | Risk Score (0-10) | List of Potential Threats |
| Focus | Technical Severity | Business Impact | Attack Vectors |
| Origin | Industry Standard (FIRST) | Microsoft (Internal) | Microsoft (Methodology) |
Integrated Workflow
A mature security program uses all three in sequence:
- STRIDE (Design Phase): Architects use STRIDE to find potential flaws before code is written. "How could someone tamper with this API?"
- CVSS (Operational Phase): Scanners and researchers report bugs with a CVSS score. "This CVE has a 9.8 base score."
- DREAD (Triage Phase): The product team uses DREAD to decide when to fix it based on real-world risk. "It's a CVSS 9.8, but only affects 1% of users (Low Affected Users). DREAD score adjusts the priority."
Key Takeaway: STRIDE finds the threat. CVSS measures the technical wound. DREAD decides how fast to run to the hospital.