CVSS 4.0 is Released: Find Out How it Impacts your Company

Vulnerabilities
Written By Paul Kubler

This summer, CVSS 4.0 was revealed at the 35th First Conference. This new system attempts to update the accuracy of the way vulnerabilities are measured objectively. The goal is to provide an easy to use number that gives organizations a simple method of measuring the severity of each finding. In particular, this builds upon the CVSS 3.1 scoring system by taking into account crucial capabilities for teams by utilizing threat and environment details. Together, these create four metrics:

  • CVSS-B: CVSS Base Score

  • CVSS-BT: CVSS Base + Threat Score

  • CVSS-BE: CVSS Base + Environmental Score

  • CVSS-BTE: CVSS Base + Threat + Environmental Score

FIRST has also published a CVSS 4.0 calculator for individuals to measure their own vulnerabilities. The metrics included in the calculation allow for more granularity and attempt to take into account environmental details that are important to risk. Especially useful changes are to the previous “Temporal” metric has been replaced by the “Threat” metric and reduced to a single value that shows exploit maturity, using one of four possibilities:

  • Unreported — there is no known exploit or Proof of Concept (PoC) code available

  • PoC — a Proof of Concept (PoC) has been seen, but has not been used to build a reliable exploit that has been used in actual attacks

  • Attacked — exploitation has been observed in actual attacks

  • Not Defined — this metric has not been set

For many organizations, this has little impact until their scanning vendors update their definitions to match the new CVSS scores. Even with this in place, if not every vendor uses the same scoring system (as many still use 2.0 or 3.0), it can cause confusion. Vulnerabilities in CVSS 2.0 may mark something as “High” severity, and 4.0 may define it as “Medium”. This highlights a need for vendors to quickly update to the new score and ensure some backwards compatibility to avoid reporting issues. The new metrics may completely change the priorities an organization has, and seemingly for the better. What still is lacking seems to be the ability to infuse these objective data points with more subjective, organization-specific metrics. This would actually help define the real risk a company has.

If you’re interested in a solution that combines the best of both worlds, Glassportal has the ability to update findings between CVSS versions and allow you to add subjective metrics to actually understand your risk. You can contact us for a demo: demo@glassportal.io

Paul Kubler
Previous

Vulnerability Management: How to Measure Success
Next

Deserialization Vulnerabilities: Explain it Like I’m 5