The Forum of Incident Response and Security Teams (FIRST) has upgraded its internationally recognized generic vulnerability scoring system. CVSS is a universal scoring system designed to provide the security community with an open, globally harmonized standard of software vulnerability ratings. The system is available to organizations around the world, and version 3.1 of the system has been posted to the FIRST website for members and non-members.
CVSS 3.1 has been simplified and improved on the basis of the original 3.0 version, making it easier for the security community to accept. System updates include definitions and interpretations of the original metrics, such as attack vectors, required privileges, scope, and security requirements.
The CVSS extension framework is a new standard method for extending CVSS that allows admins to retain official benchmarks, current metrics, and environmental gauges while adding additional metrics and gauge groups.
Additional metrics allow departments within the industry, such as privacy, security, automotive, medical, etc., to score elements outside of the core CVSS standard. Finally, the CVSS terminology was expanded and refined to cover all the terms used in the CVSS 3.1 documentation.
FIRST is grateful to the experts in the industry for their contributions because their efforts have improved CVSS, making it more suitable for vulnerabilities, products, and platforms developed in the past 15 years.