Peter M. Mell, Karen Kent Scarfone, Sasha Romanosky
Organizations struggle to assess the relative importance of software vulnerabilities across disparate hardware and software platforms. They must prioritize vulnerabilities and remediate those that pose the greatest risk. However, most software vendors and security organizations use their own proprietary methods to assign scores to the impact of vulnerabilities, making it infeasible for organizations to translate scores consistently and make sound business decisions. The Common Vulnerability Scoring System (CVSS) is a public initiative intended to address this issue. It consists of a well-defined set of metrics and simple equations, and there is accompanying documentation to assist analysts in scoring vulnerabilities and to assist organizations in using the scores. However, CVSS must overcome significant technical and policy issues to reduce barriers to entry and become a ubiquitous vulnerability scoring system.
Common Vulnerability Scoring System (CVSS), FISMA, National Vulnerability Database, vulnerability
, Kent, K.
and Romanosky, S.
Common Vulnerability Scoring System, IEEE Security & Privacy, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=50899
(Accessed December 2, 2023)