Vulnerability Metrics: What Do CVSS Scores Really Mean?

john schnobrich FlPc9 VocJ4 unsplash

If you’re a system administrator or security professional, you’ll be familiar with the National Vulnerability Database (NVD). The NVD—which is maintained by the National Institute of Standards and Technology—collects and distributes information about software vulnerabilities that impact IT security. 

Vulnerabilities are scored according to the Common Vulnerability Scoring System (CVSS), and many IT professionals use CVSS scores to prioritize vulnerability mitigation work. However, there are problems with the NVD and CVSS systems that are not widely recognized. 

In this article, we’ll explore how CVSS scores are used and their limitations. 

What Are CVSS Scores?

CVSS scores are a standardized way to assess the severity of security vulnerabilities in software and systems. The framework assigns a numerical score, ranging from 0 to 10, with 10 being the most severe. Scores are based on potential impact, the likelihood of being exploited, and the complexity of the attack.

CVSS scores are further categorized into the severity levels low, medium, and high:

  • Low severity vulnerabilities have scores ranging from 0.1 to 3.9. These vulnerabilities have limited impact and are more difficult to exploit.
  • Medium severity vulnerabilities have scores ranging from 4.0 to 6.9. They are more significant than low severity vulnerabilities and may be easier to exploit.
  • High severity vulnerabilities have scores ranging from 7.0 to 10.0. They pose a significant security risk and are likely to be easily exploitable.

What Are the Limitations of CVSS Scores?

IT professionals use the NVD database to stay up to date with vulnerabilities that affect their company’s software. They use CVSS scores to calibrate their response: High-severity vulnerabilities require an immediate response because they pose a significant risk.

One problem with this system is that not all vulnerabilities are reported by the NVD. Flashpoint’s 2022 State of Vulnerability Intelligence report revealed that of the 11,860 vulnerabilities their system collected, 27.3% did not appear in the NVD. The report also argued that as many as half of the vulnerabilities given a score of 10.0—the highest severity—were not scored correctly. Inaccurate scores can lead businesses to waste resources through incorrect prioritization of vulnerability responses. 

Another problem relates to the way CVSS scores are interpreted. The scores are made up of the groups Base, Temporal, and Environmental:

  • Base metrics are unchanging and include a set of key characteristics inherent to the vulnerability.
  • Temporal metrics provide additional information that can change over time—for example, whether the vulnerability is being exploited in the wild or whether there is a patch available.
  • Environmental metrics provide information about the specific environment in which the vulnerability exists, including the type of system, the user base, and the sensitivity of the data.

But the NVD only reports the base score, which can be misleading. A vulnerability might be scored a 10 even if there is no evidence it has ever been exploited or while an organization already has controls in place to mitigate the risk. 

Does That Mean CVSS Scores Are Useless?

No, the NVD database and CVSS scores are critical tools for IT and security professionals. They provide aggregated security data that would be difficult and expensive to source otherwise. However, professionals should be aware of the limitations and make arrangements to compensate. 

Don’t get all of your security information from one source, and make sure you’re correctly interpreting the sources you use. Otherwise, you could misallocate constrained resources or fail to mitigate damaging vulnerabilities.

Liberty Center One provides secure colocation hosting, cloud hosting, and disaster recovery services. To learn how we can help you build secure, scalable, and cost-effective IT systems, talk to an IT infrastructure expert today.