CVSS v4.0 Turns One Year Old
FIRST and the CVSS Special Interest Group (SIG) would like to wish a very happy first birthday to the newest version of CVSS, version 4.0!
CVSS v4.0 was officially released on November 1, 2023. In the year since its release, CVSS v4.0 has been adopted by several major providers with official support added to the tooling by the CVE Program and NIST's National Vulnerability Database (NVD). A tooling library, including implementations of CVSS calculators in various programming languages, has also been updated to include support for CVSS v4.0. An updated training course that applies to both providers and consumers is available for CVSS v4.0.
CVSS v4.0 includes many new features, including updates to the following metrics: User Interaction, Attack Complexity, and Attack Requirements. There are new metric values that allow assessors to indicate impacts to physical safety for OT and ICS applications. The Scope metric from been removed in favor of improved clarity for Confidentiality, Integrity, and Availability impact metrics for vulnerable and subsequent systems. The reworked and simplified Threat metric group incorporates measures of exploitability to significantly adjust resulting scores based on known exploitation status using threat intelligence sources such as the Known Exploited Vulnerability (KEV) database. Finally, a new category of Supplemental Metrics was included. The Supplemental Metrics add contextual information to assessments, such as the Recovery metric, to indicate lingering impacts on systems and the difficulty of recovering from exploitation, and the Automatable metric to indicate whether a vulnerability is "wormable".
Data from providers flows into public vulnerability databases that have tooling support for CVSS v4.0. At time of writing, there were more than 2400 CVEs with CVSS v4.0 scores in the CVE Program database, with hopefully many more to come.
The FIRST CVSS SIG continues to develop the CVSS standard, gathering feedback and requirements for inclusion in future updates. The CVSS SIG is currently running a CVSS v4.0 survey that is available here. Producers and consumers of CVSS scores are encouraged to provide feedback through the survey or directly to the FIRST CVSS SIG to help us guide the future of CVSS.
Once again, happy first birthday to CVSS v4.0!
