The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. Two common uses of CVSS are prioritization of vulnerability remediation activities and in calculating the severity of vulnerabilities discovered on one's systems. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.
In particular, NVD supports the Common Vulnerability Scoring System (CVSS) version 2 standard for all CVE vulnerabilities. NVD provides CVSS 'base scores' which represent the innate characteristics of each vulnerability. We do not currently provide 'temporal scores' (scores that change over time due to events external to the vulnerability). However, NVD does provide a CVSS score calculator to allow you to add temporal data and to even calculate environmental scores (scores customized to reflect the impact of the vulnerability on your organization). This calculator contains support for U.S. government agencies to customize vulnerability impact scores based on FIPS 199 System ratings.
Using CVSS support within NVD
1. NVD CVSS v2 Calculator
2. Click on a CVSS score while using NVD to customize that score for your environment
3. Download CVSS scores for all CVE vulnerabilities from the NVD XML feed
CVSS standards information:
1. FIRST CVSS Homepage.
2. CVSS v2 standard specification.
3. CVSS v2 impact vector specification: http://nvd.nist.gov/CVSS/Vector-v2.aspx.
NVD CVSS News
- October 16, 2007: The NVD CVSS V2 calculator has been updated to include the following functionality:
- CVSS V2 calculator now supports the ‘ND’ (Not Defined) metric for temporal and environmental vectors.
- ‘CDP’ has replaced ‘CD’ to represent the environmental vector ‘CollateralDamagePotential.’ This update reflects the correct vector representation in the official CVSS V2 Specification. (NOTE: CVSS calculator still supports legacy 'CD' representation)
- The metrics pertaining to the temporal Vector ‘ReportConfidence’ have been updated to reflect the official CVSS V2 Specification. (*NOTE:CVSS calculator still supports RC legacy metrics)
- August 6, 2007: The Payment Card Industry Data Security Standard requires use of NVD Common Vulnerability Scoring System impact scores for use within approved scanning vendor tools.
- June 20, 2007: The National Vulnerability Database deployed support for the Common Vulnerability Scoring System (CVSS) version 2.0.
NVD Vulnerability Severity Ratings
NVD provides severity rankings of "Low," "Medium," and "High" in addition to the numeric CVSS scores
but these qualitative rankings are simply mapped from the numeric CVSS scores:
1. Vulnerabilities are labeled "Low" severity if they have a CVSS base score of 0.0-3.9.
2. Vulnerabilities will be labeled "Medium" severity if they have a base CVSS score of 4.0-6.9.
3. Vulnerabilities will be labeled "High" severity if they have a CVSS base score of 7.0-10.0.
With some vulnerabilities, all of the information needed to create CVSS scores may not be available. This typically happens when a vendor announces a vulnerability but declines to provide certain details. In such situations, NVD analysts assign CVSS scores using a worst case approach. Thus, if a vendor provides no details about a vulnerability, NVD will score that vulnerability as a 10.0 (the highest rating).
Collaboration with Industry
NVD staff are willing to work with the security community on CVSS impact scoring. If you wish to contribute additional information or corrections regarding the NVD CVSS impact scores, please send email to firstname.lastname@example.org. We actively work with users that provide us feedback.
Product Integration into CVSS V2 Calculator
CVSS compatible products may provide their users access to the NVD CVSS v2 calculator by creating a hyperlink that includes the CVSS vector and, optionally, the vulnerability name. This works for both base, temporal, and environmental vectors. The hyperlinks should take one of the following forms.
Example base vector hyperlinks to CVSS calculator (with and without vulnerability name):
Example environmental vector hyperlinks to CVSS calculator (with and without vulnerability name):
Example temporal vector hyperlinks to CVSS calculator (with and without vulnerability name):
Please see: http://nvd.nist.gov/cvss.cfm?vectorinfov2 for more details on the CVSS product integration.
Scores for the CVE vulnerabilities published between to 11/10/2005 and 11/30/2006 have been upgraded from CVSS version 1 data. CVSS v1 metrics did not contain granularity of CVSS v2 and so these scores are marked as "Version 2.0 upgrade from v1.0" within NVD. While these scores are approximation, they are expected to be reasonably accurate CVSS v2 scores.
Scores provided for the 13,000 CVE vulnerabilities published prior to 11/9/2005 are approximated from only partially available CVSS metric data. Such scores are marked as "Version 2.0 Incomplete approximation" within NVD. In particular, the following CVSS metrics are only partially available for these vulnerabilities and NVD assumes certain values based on an approximation algorithm: AccessComplexity, Authentication, ConfImpact of 'partial', IntegImpact of 'partial', AvailImpact of 'partial', and the impact biases.