Common Vulnerability Scoring System Version 4.0

CVSS version 4.0 is the next generation of the Common Vulnerability Scoring System standard.

Some of the changes incorporated into CVSS v4.0 include:

• Reinforce the concept that CVSS it not just the Base score
  • New nomenclature has been added to identify combinations of Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE)
• Finer granularity through the addition of new Base metrics and values:
  • New Base metric: Attack Requirements (AT)
  • New Base metric values: User Interaction (UI): Passive (P) and Active (A)
• Enhanced disclosure of impact metrics:
  • Scope retired
  • Explicit assessment of impact to Vulnerable System (VC, VI, VA) and Subsequent Systems (SC, SI, SA)
• Temporal metric group renamed to Threat metric group
  • Threat metrics simplified and clarified
  • Remediation Level (RL) and Report Confidence (RC) retired
  • Exploit "Code" Maturity renamed to Exploit Maturity (E) with clearer values
• New Supplemental Metric Group to convey additional extrinsic attributes of a vulnerability that do not affect the final CVSS-BTE score
  • Safety (S)
  • Automatable (A)
  • Recovery (R)
  • Value Density (V)
  • Vulnerability Response Effort (RE)
  • Provider Urgency (U)
• Additional focus on OT/ICS/Safety
  • Consumer-assessed Safety (MSI:S, MSA:S)
  • Provider-assessed Safety through Safety (S) supplemental metric

More information about what's new in CVSS v4.0 is available in PDF format here.

Links on the left lead to CVSS version 4.0's specification and related resources.

A self-paced on-line training course is available for CVSS v4.0. It explains the standard without assuming any prior CVSS experience.