common vulnerability scoring system (CVSS)
What is CVSS?
The Common Vulnerability Scoring System (CVSS) is a standardized framework used to measure the severity of security vulnerabilities. It assigns each vulnerability a numerical score from 0 to 10, along with qualitative ratings such as Low, Medium, High, or Critical. This helps organizations prioritize which vulnerabilities to address first.
Why CVSS Matters
CVSS provides a common language for assessing risk. Security teams, software vendors, and researchers use it to:
- Understand the potential impact of vulnerabilities
- Compare severity across different systems and software
- Prioritize remediation efforts based on standardized scores
How CVSS Scores Are Calculated
CVSS considers multiple metrics to assess a vulnerability:
- Base metrics: The inherent qualities of a vulnerability (e.g., attack vector, complexity, impact on confidentiality, integrity, and availability)
- Temporal metrics: Factors that change over time, like exploit code maturity or patch availability
- Environmental metrics: How the vulnerability affects a specific environment or organization
These factors combine to produce a single score that helps guide security decisions.
CVSS vs. EPSS
While CVSS measures severity, it does not account for the likelihood of exploitation. That’s where EPSS (Exploit Prediction Scoring System) comes in. EPSS predicts the probability that a vulnerability will be exploited in the wild. Together, CVSS and EPSS provide a fuller picture of risk, allowing teams to focus on vulnerabilities that are both severe and likely to be exploited.
How Intruder Helps
Intruder integrates both CVSS and EPSS scoring into its vulnerability management platform, helping teams quickly understand the severity and exploit likelihood of detected issues. This combination helps teams prioritize vulnerabilities that pose the greatest real-world risk, so they can fix what matters most.
Want to prioritize vulnerabilities smarter? Start your free trial with Intruder today.
