Common Vulnerability Scoring System SIG

The CVSS SIG continues to work on gathering feedback and updating CVSS v4.0. The CVSS documentation, including the User Guide, FAQ, and Examples have seen updates since the initial release in November 2023. Currently, the CVSS SIG is developing a roadmap for future updates to the standard. To that end, the CVSS SIG has created a survey to understand the usage of CVSS in general and the new CVSS v4.0 in particular. That survey is available at here

Please submit your responses to help guide the future of CVSS. If you have additional information or suggestions, please follow up with cvss@first.org. The CVSS SIG cannot respond to each request but will review all submissions.

Mission

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

CVSS is a published standard used by organizations worldwide, and the SIG's mission is to continue to improve it.

Goals/Deliverables

CVSS is currently at version 4.0. Links on the left lead to CVSS version 4.0's specification and related resources.

A self-paced on-line training course is available for CVSS v4.0. It explains the standard without assuming any prior CVSS experience.

Latest Initiatives

The CVSS Special Interest Group (SIG) is proud to announce the official publication of CVSS v4.0. The latest information on CVSS v4.0 can be found on our CVSS v4.0 landing page.

The SIG is composed of representatives from a broad range of industry sectors, from banking and finance to technology and academia. Organizations and individuals interested in joining the SIG, or observing progress via the CVSS SIG mailing lists, should complete the Request to Join form below.

Request to Join