Common Vulnerability Scoring System (CVSS) version 4.0. The Key Changes.

What is CVSS?

CVSS is a risk calculator where a risk severity is assigned (either low, medium or high) to each vulnerability that is discovered. It consists of four metric groups: Base, Threat, Environmental, and Supplemental. It is an open framework owned and managed by FIRST.Org, Inc. (FIRST stands for Forum of Incident Response and Security Teams), a US-based non-profit organization.

CVSS Version 4.0 (v4)

The new standard for CVSS v4 has now been released. We are thrilled to have our very own Global Head of Cybersecurity at IriusRisk, Francisco Luis de Andres Perez, mentioned in the Acknowledgements section of this Specification Document. He is part of the CVSS Special Interest Group (SIG) members who contributed.  

Head over to first.org to find out more about this framework and how you can use it, thanks to an indepth look at all of the possible metrics and assessments.  

‍

CVSS V3 vs CVSS V4

If you are looking at what is new, what’s been removed and an introduction to all the changes, take a look at this document cited by OWASP.

• Importance of using Threat Intelligence and Environmental metrics for accurate scoring
• Operational Technology/Safety Metrics
• Supplemental Concepts of “Automatable”, “Recovery” and “Vulnerability Response Effort”
• Representation of provider-supplied Urgency within CVSS standard
• Active vs. Passive “User Interaction”
• “Attack Complexity” vs. “Attack Requirements”
• Nomenclature

References:

1. https://www.first.org/cvss/v4.0/specification-document#Appendix-A---Acknowledgments
2. https://csrc.nist.gov/csrc/media/Presentations/2023/update-on-cvss-4-0/jan-25-2023-ssca-dugal-rich.pdf