Common Vulnerability Scoring System v1 Archive

The CVSS Team have provided a historic record of the first version of CVSS here. These should not be used for scoring or other CVSS related activities and are only of historic interest.

FIRST to host CVSS

[ 14 April 2005 ]

The National Infrastructure Advisory Council (NIAC) has chosen FIRST to be the custodian of the Common Vulnerability Scoring System (CVSS), the emerging standard in vulnerability scoring. This rating system is designed to provide open and universally standard severity ratings of software vulnerabilities. There is a critical need to help organizations appropriately prioritize security vulnerabilities across their constituency. The lack of a common scoring system has security teams worldwide solving the same problems with little or no coordination. FIRST will closely collaborate with CERT/CC and MITRE on this.

The framework is in its first-generation stage - there is a need for active participation within the global IT community during its implementation and testing phase in an effort to gather feedback for future developments and enhancements to increase the scoring system's usability and acceptance. This feedback will initially be provided by a Special Interest Group within FIRST.

The biggest challenge facing any new standard is the universal adoption of the standard. In order to address the inconsistency of scoring metrics for vulnerabilities, FIRST believes that a global approach towards adoption of the new standard is the best strategy. FIRST is uniquely qualified through the international collaboration occurring within the organization on a regular basis to both promote the adoption of CVSS both inside and outside of its membership and to maintain the standard going forward.

Key Factors to Global Adoption

Some of the key factors of gaining global adoption of a Common Vulnerability Scoring System include global visibility, support of IT vendors and community worldwide, and a basic understanding of how the system works. The Internet and its vulnerabilities do not belong to one country, and therefore any technology that is to be adopted globally must have technical merit and the support of an internationally recognized, non-governmental organization. Incident response teams who deal with cyber security on a daily basis are the ideal group to use and advocate this system. The Forum of Incident Response and Security Teams (FIRST), a not-for-profit corporation, is the premier organization and recognized global leader in incident response.

FIRST consists of a global network of computer security incident response teams (CSIRTs) that work together voluntarily to deal with computer security problems and promote incident prevention programs. These teams represent government, law enforcement, commercial, education and other organizations spread over the Americas, Asia, Europe and Oceania. FIRST was the obvious choice and NIAC has officially endorsed our bid for hosting, updates and promotion of CVSS. This aligns well with the primary purpose of the FIRST providing an international forum for participating organizations to work together to share current information & tools, solve common problems, plan future strategies and promote computer security around the world.

As part of our mission, FIRST encourages and promotes the development of quality security products, policies & services and computer security best practices. FIRST is uniquely organized and positioned to offer the best home and support for the Common Vulnerability Scoring System.

Approach

The FIRST Steering Committee has established a Vulnerability Metrics Committee to be chaired by Gavin Reid of Cisco Systems (and co-chaired by Jim Duncan, a CVSS and VDF contributor), with the task of building a working group, evangelizing CVSS and the Vulnerability Disclosure Framework (VDF), soliciting and approving funding for projects to implement or improve CVSS, and building toward a next version. This committee will take on the task of promoting CVSS to the global Internet community through the delivery of presentations, white papers, software tools and face-to-face meetings with a global target audience.

Since the framework is in its first-generation stage, there is a need for active participation within the global IT community during its implementation and testing phase in an effort to gather feedback for future developments and enhancements to increase the scoring system's usability and acceptance. We will volunteer a wide range of participants from FIRST representing the different functional areas that make up the FIRST community (commercial, governmental and educational)

Key Elements of this Proposal

  • Promote and educate the information technology community on the benefits of using a common scoring system framework to describe the severity of computer security vulnerabilities replacing vendor-specific severity rating systems
  • Foster cooperation among information technology constituents in the effective implementation and testing of the Common Vulnerability Scoring System framework
  • Provide a means for the communication of the CVSS Vendor Base and/or Temporal scoring information on published vulnerabilities
  • Support the actions and activities of FIRST's CVSS Committee including research, software development and operational activities
  • Facilitate the sharing of CVSS-related information, tools, and techniques.

Conclusion

The biggest challenge facing any new standard is the universal adoption of the standard. In order to address the inconsistency of scoring metrics for vulnerabilities, FIRST believes that a global approach towards adoption of the new standard is the best strategy. FIRST is uniquely qualified through the international collaboration occurring within the organization on a regular basis to both promote the adoption of CVSS both inside and outside of its membership and to maintain the standard going forward.

Summary

  • CVSS is a process for evaluating vulnerabilities using common approaches by NIAC.
  • NIAC has chosen to let FIRST be the organization of managing the long term direction of CVSS.
  • Some parties have already successfully implemented CVSS and FIRST will be sharing best practices with members.
  • FIRST will create the Vulnerability Metrics Committee to be chaired by Gavin Reid to enrich the document and help push the standard forward.

The CVSS Pioneers

FIRST acknowledges the CVSS pioneers, who wrote the original NIAC/CVSS document:

  • Mike Schiffman
    Cisco Systems
  • Gerhard Eschelbeck
    Qualys
  • Dave Ahmad
    Symantec

    Andrew Wright
    Cisco Systems

  • Sasha Romanosky
    Carnegie Mellon University

Participation

To help participate in this growing standard and join the discussions please send a note to the FIRST Secretariat (first-sec at first.org) and ask to be added to the CVSS SIG and its mailing list. We would like as many people as possible to try CVSS out for vulnerability scoring and share their experiences on this mailing list. This list is also a way to send questions, comments and feedback directly to the CVSS team.


Chair(s)

Gavin Reid (Cisco Systems)

Mailing list: