FIRST Unveils CVSS 4.0: A New Vulnerability Scoring System

The Forum of Incident Response and Security Teams (FIRST) has introduced CVSS v4.0, revamping the Common Vulnerability Scoring System standard for the first time in over eight years. This latest iteration follows the release of CVSS v3.0 in June 2015 and seeks to enhance precision in vulnerability assessment across various sectors.

In an official statement, FIRST emphasized that CVSS 4.0 aims to deliver a high level of accuracy in evaluating security vulnerabilities, benefiting both industry stakeholders and the public. The system functions by quantifying critical technical attributes of a security vulnerability, resulting in a numerical score reflecting its severity. This score is instrumental for organizations in prioritizing their vulnerability management strategies across different threat levels, including low, medium, high, and critical.

The previous version, CVSS v3.1, which was rolled out in July 2019, faced criticism for its lack of granularity. Concerns arose that the scoring scale did not adequately represent essential factors like health, human safety, and industrial control systems. In light of these issues, the new CVSS v4.0 introduces several supplemental metrics, including Safety (S), Automatable (A), Recovery (R), Value Density (V), Vulnerability Response Effort (RE), and Provider Urgency (U), to better inform vulnerability assessments.

CVSS v4.0 also marks a shift in nomenclature, allowing users to classify CVSS scores through combinations of Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE) ratings. This update reinforces the notion that the Base score should be viewed in conjunction with environmental metrics and attributes that evolve over time, thereby offering a more comprehensive risk assessment framework.

FIRST reiterated the importance of this comprehensive approach, stating that while the CVSS Base Score is a critical component, it should be supplemented with analyses of the specific environment and evolving threat metrics. Understanding these nuances will empower organizations to develop more robust cybersecurity strategies in the face of increasingly sophisticated threats.