Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Common Vulnerability Scoring System

Published

Author(s)

Peter M. Mell, Karen Kent Scarfone, Sasha Romanosky

Abstract

Organizations struggle to assess the relative importance of software vulnerabilities across disparate hardware and software platforms. They must prioritize vulnerabilities and remediate those that pose the greatest risk. However, most software vendors and security organizations use their own proprietary methods to assign scores to the impact of vulnerabilities, making it infeasible for organizations to translate scores consistently and make sound business decisions. The Common Vulnerability Scoring System (CVSS) is a public initiative intended to address this issue. It consists of a well-defined set of metrics and simple equations, and there is accompanying documentation to assist analysts in scoring vulnerabilities and to assist organizations in using the scores. However, CVSS must overcome significant technical and policy issues to reduce barriers to entry and become a ubiquitous vulnerability scoring system.
Citation
IEEE Security & Privacy

Keywords

Common Vulnerability Scoring System (CVSS), FISMA, National Vulnerability Database, vulnerability

Citation

Mell, P. , Kent, K. and Romanosky, S. (2006), Common Vulnerability Scoring System, IEEE Security & Privacy, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=50899 (Accessed December 14, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created December 29, 2006, Updated June 2, 2021