The numerical score can be represented as a qualitative severity rating to help organizations properly assess and prioritize their vulnerability management processes and prepare defences against cyber-attacks.
CVSS version 1 was released in February 2005, developed then by a small group of pioneers with the aim of industry-wide adoption, with FIRST appointed that April to drive the future development of what would become a critical tool in the sector’s arsenal.
Over a dozen FIRST members of the CVSS Special Interest Group collaborated extensively through 2006 and 2007 to revise and improve CVSS version 1 by testing and re-testing hundreds of real-world vulnerabilities releasing version 2 in June 2007.
A third version developed the tool further in 2015 introducing the concept of ‘Scope’ in to handle the scoring of vulnerabilities that exist in one software component, but impact a separate software, hardware, or networking component.
Finally, a version 3.1 was released in June 2019 which clarified and improved upon version 3.0 without introducing new metrics or values, improving upon clarity of concepts to improve the overall ease of use of the standard and adding the CVSS Extensions Framework.
Chris Gibson, CEO, FIRST commented: “The CVSS system has rapidly developed over the past 18 years, with each version building on our capabilities to defend from cyber criminality. I am immensely proud of the CVSS-SIG for the hard work and dedication it has taken to produce version 4.0. And it is timely as we continue to see a significant rise in threats across the world.”
