The pending update to the Common Common Vulnerability Scoring System (CVSS), version 4.0, has garnered a noticeable volume of articles, blog posts and watercooler (now known as Slack and Zoom) air time. Reaction from the community has been positive, with general sentiment pinned somewhere near “practical.”
CVSS provides a standardized method for evaluating the potential severity (and in many cases impact) of a vulnerability so organizations can make informed decisions about how to respond to specific security issues. Its fundamentals have been widely adopted by vendors, researchers, academics, and vulnerability analysts.
The standard has been improved over time with the release of v1 in Feb. 2005, v2 in June 2007, and v3 in June 2015. The current version (v3.1) debuted in June 2019. Version 4 is slated for release on October 1, 2023.
So, what’s new in CVSS v4?
CVSS v4 ushers in some meaningful improvements wrapped in a bit of nuanced complexity, especially if you’re a vendor or threat researcher responsible for providing base scores. As far back as CVSS v1, the standard has recognized that things like time, value of the target, exploit activity, and specific operating environment all influence the amount of risk associated with a unique vulnerability. A balance between completeness and ease of use has been sought in development of more recent CVSS versions.
Temporal and Environmental Metrics were intended to provide business context to help influence tradeoff decisions. However, these metrics were “optional” in v3, and adoption stagnated and never really grew beyond use of Base Metrics. Reality reflects this observation partially due to the score subjectivity stemming from assessor interpretation(s), human bias, but most importantly the fact that calculating “optional” metrics requires resources and time that organizations might invest in other areas.
The following summar ..
Support the originator by clicking the read the rest link below.
