Back

CVSS (Common Vulnerability Scoring System)

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is a standardized framework developed by FIRST for rating the severity of security vulnerabilities. It provides a numeric score (typically from 0.0 to 10.0) based on static attributes such as:

  • Attack vector (e.g., network vs. physical access)
  • Complexity of exploitation
  • Required privileges and user interaction
  • Impact on confidentiality, integrity, and availability

CVSS is widely adopted in vulnerability scanning tools and compliance frameworks. However, it does not account for whether a vulnerability is actively being exploited in the wild.

Why it matters
CVSS provides a consistent way to evaluate vulnerabilities, but severity scores alone don’t always reflect real-world risk. A high CVSS score doesn’t necessarily mean high business impact.

How it works
CVSS assigns a base score (0–10) using factors like access complexity, authentication, and confidentiality impact. Advanced programs also apply temporal and environmental metrics for deeper insight.

How Brinqa helps
Brinqa enhances CVSS scoring by combining it with contextual data—asset value, exploit intelligence, and exposure relationships—to produce meaningful, business-driven risk prioritization.

What is the difference between EPSS vs. CVSS?

Similar to EPSS, the Common Vulnerability Scoring System (CVSS) is a framework for assessing vulnerabilities. But CVSS and EPSS use different calculation methods:

  • CVSS assesses the severity of a vulnerability based on innate factors such as access complexity, exploitability and impact. The score ranges from 0 to 10, with a higher score indicating a more severe vulnerability.
  • EPSS calculation is based on the likelihood of a vulnerability being exploited, a factor CVSS scores do not consider. EPSS provides a probability range between 0 to 1 (0 and 100%). A higher score indicates a vulnerability likely will be exploited within 30 days.

While CVSS scores are still widely used in security programs, EPSS — a more recent and advanced system developed by the same group (FIRST) — offers additional capabilities. To improve the quality of vulnerability data, it is recommended to consider a combination of both EPSS and CVSS, leveraging the strengths of each system.

Read More: EPSS vs. CVSS: Understanding the Differences and Use Cases

Image

Ready to Unify Your Cyber Risk Lifecycle?

Get a DemoGet a Demo