Cybersecurity Technologies

CVSS (Common Vulnerability Scoring System)

The Common Vulnerability Scoring System (CVSS) is a standardized framework for rating the severity of software vulnerabilities on a scale from 0.0 to 10.0. Maintained by the Forum of Incident Response and Security Teams (FIRST), CVSS provides a consistent language for communicating how severe a vulnerability is based on its technical characteristics, regardless of the specific product or environment affected.

What is CVSS?

The Common Vulnerability Scoring System, or CVSS, is the industry standard for assigning a severity score to software vulnerabilities. When you see a vulnerability rated "Critical (9.8)" in a security advisory, that number comes from CVSS.

Maintained by FIRST (Forum of Incident Response and Security Teams), CVSS evaluates vulnerabilities across multiple dimensions and produces a score between 0.0 (informational) and 10.0 (maximum severity). The National Vulnerability Database (NVD) attaches CVSS scores to over 200,000 CVE entries, making it the default severity language across the security industry.

CVSS scores are grouped into severity ratings:

  • None: 0.0
  • Low: 0.1 to 3.9
  • Medium: 4.0 to 6.9
  • High: 7.0 to 8.9
  • Critical: 9.0 to 10.0

The current version, CVSS v4.0, was released in November 2023 and introduced significant changes from v3.1. It restructured the scoring into four metric groups:

  1. Base metrics. The intrinsic technical characteristics of a vulnerability: how it's exploited, what it requires, and what kind of impact it has on confidentiality, integrity, and availability. This is the score most people see and cite.
  2. Threat metrics. Real-world exploit status, replacing the old "Temporal" group. This captures whether functional exploit code exists and whether the vulnerability is being actively exploited, connecting scoring to actual threat intelligence.
  3. Environmental metrics. Organization-specific adjustments based on how critical the affected system is in your specific environment and what mitigating controls you have in place.
  4. Supplemental metrics. Additional context like automatable exploitation, recovery feasibility, and provider urgency that helps with prioritization decisions.

Why CVSS matters for startups

CVSS is the lingua franca of vulnerability management. Every scanner, advisory, and security report uses it. Understanding how it works (and where it falls short) is essential for building a security program that actually prioritizes the right things.

Here's what startups need to know:

  1. It's the universal severity language. When your vulnerability scanner flags a finding as "High (7.5)," that's a CVSS score. When a vendor's security advisory says a patch addresses a critical vulnerability, they're referencing CVSS. Understanding these scores lets you participate in security conversations with customers, auditors, and your own team without ambiguity.
  2. Base scores alone are misleading. The biggest mistake teams make is treating CVSS base scores as risk scores. They are not. A CVSS base score measures technical severity in a vacuum. It tells you how bad a vulnerability could be, not how likely it is to be exploited or how much it matters in your specific environment. According to Intruder, only 2.3% of CVEs scored at CVSS 7 or above were actually observed being exploited. Treating every high-CVSS finding as urgent leads directly to alert fatigue.
  3. CVSS v4.0 partially fixes the prioritization problem. The transition from v3.1 to v4.0 introduced threat metrics that account for active exploitation, which helps. But according to Mend, CVSS v4.0 results in 27% more critical-severity alerts and 18% more high-severity alerts than v3.1, meaning the score inflation issue hasn't been fully resolved.
  4. Compliance expects you to use it. SOC 2 and ISO 27001 auditors expect your vulnerability management process to use standardized severity ratings. CVSS is the default standard they'll look for. Having a clear policy that references CVSS scores (in combination with other signals like EPSS and KEV status) demonstrates a mature, risk-based approach.

Using CVSS effectively

For startups building a vulnerability management practice, the key is to use CVSS as one input among several, not as the sole decision-maker:

  • Don't patch by CVSS score alone. A CVSS 9.8 in a test environment with no network exposure is less urgent than a CVSS 6.5 in your production API that handles customer data. Context matters.
  • Combine CVSS with EPSS and KEV. Use CVSS for severity, EPSS for exploitation probability, and CISA's KEV catalog for confirmed active exploitation. A vulnerability that scores CVSS 7.0, has an EPSS probability above 0.5, and appears in the KEV catalog is a genuine emergency. A CVSS 9.0 with an EPSS of 0.001 and no KEV listing can likely wait for your next patch cycle.
  • Use environmental metrics when possible. CVSS v4.0's environmental adjustments let you lower or raise effective scores based on your specific deployment. A vulnerability affecting a component you don't use, or one where you have compensating controls, should be scored accordingly.
  • Document your policy. Write down how you use CVSS in your remediation SLAs. Common approaches: Critical (9.0+) within 24 hours, High (7.0-8.9) within 7 days, Medium (4.0-6.9) within 30 days, Low within 90 days. Auditors love this.

Frequently asked questions

What is the difference between CVSS v3.1 and v4.0?

CVSS v4.0 restructured the scoring system into four metric groups (Base, Threat, Environmental, and Supplemental), replacing v3.1's three groups (Base, Temporal, Environmental). The biggest change is the Threat metrics group, which replaces the old Temporal group and more directly connects scoring to real-world exploit activity. V4.0 also added granularity to attack complexity, introduced supplemental metrics for additional context, and attempted to address score inflation. However, the transition is gradual, as many tools and databases still primarily report v3.1 scores.

Toggle answer

Why shouldn't I just patch everything with a CVSS score of 7 or higher?

Because it's inefficient and leads to alert fatigue. Research shows that only about 2.3% of vulnerabilities scored CVSS 7 or above are actually exploited in the wild. Treating all high-CVSS findings as equally urgent means your team spends significant effort on vulnerabilities that attackers will likely never target, while potentially delaying work on lower-scored vulnerabilities that are actively being exploited. A smarter approach combines CVSS with EPSS (which estimates exploitation probability) and CISA's KEV catalog (which confirms active exploitation) to focus remediation where it actually reduces risk.

Toggle answer

How is a CVSS base score calculated?

A CVSS base score is derived from two sub-groups of metrics: Exploitability metrics and Impact metrics. Exploitability metrics evaluate how the vulnerability is attacked, including the attack vector (network, adjacent, local, or physical), attack complexity, privileges required, and whether user interaction is needed. Impact metrics measure the consequences of a successful exploit on confidentiality, integrity, and availability of the affected system. These metrics are combined using a mathematical formula that produces a score between 0.0 and 10.0. You can calculate scores using FIRST's official CVSS calculator at first.org/cvss/calculator.

Toggle answer

Related terms

Cybersecurity Technologies

EPSS (Exploit Prediction Scoring System)

Cybersecurity Technologies

KEV (Known Exploited Vulnerabilities)

Cybersecurity Technologies

Vulnerability

Cybersecurity Technologies

Vulnerability Scanning

Cybersecurity Technologies

Alert Fatigue

Secure your startup’s momentum

Get started

Follow us

Product

Vulnerability Scanning & ManagementSecurity MonitoringSecret ScanningCode ScanningDynamic Application Security Testing (DAST)Software Composition Analysis (SCA)Compliance & Risk ManagementIdentity & AccessIntegrations

Solutions

Resources

About us

© 2026 Fencer All rights reserved.
Terms of Service
 | 
Responsible Disclosure
 | 
Privacy Policy