Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Common Vulnerability Scoring System



Peter M. Mell, Karen Kent Scarfone, Sasha Romanosky


Organizations struggle to assess the relative importance of software vulnerabilities across disparate hardware and software platforms. They must prioritize vulnerabilities and remediate those that pose the greatest risk. However, most software vendors and security organizations use their own proprietary methods to assign scores to the impact of vulnerabilities, making it infeasible for organizations to translate scores consistently and make sound business decisions. The Common Vulnerability Scoring System (CVSS) is a public initiative intended to address this issue. It consists of a well-defined set of metrics and simple equations, and there is accompanying documentation to assist analysts in scoring vulnerabilities and to assist organizations in using the scores. However, CVSS must overcome significant technical and policy issues to reduce barriers to entry and become a ubiquitous vulnerability scoring system.
IEEE Security & Privacy


Common Vulnerability Scoring System (CVSS), FISMA, National Vulnerability Database, vulnerability


Mell, P. , Kent, K. and Romanosky, S. (2006), Common Vulnerability Scoring System, IEEE Security & Privacy, [online], (Accessed June 19, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created December 29, 2006, Updated June 2, 2021