FIRST Urges Wide-Scale Adoption of New Common Vulnerability Scoring System (CVSS)

The Forum of Incident Response and Security Teams (FIRST) a not-for-profit network of computer security incident response teams representing government, law enforcement, ...

Cisco, eBay, Internet Security Systems, Qualys and Others Design Vendor-Agnostic Language for Measuring and Addressing Network Vulnerabilities


RESEARCH TRIANGLE PARK, NC - Sep 19, 2005. The Forum of Incident Response and Security Teams (FIRST) — a not-for-profit network of computer security incident response teams representing government, law enforcement, commercial, education and other organizations worldwide — has joined industry leaders in urging organizations throughout the global Information Technology (IT) community to test the first Common Vulnerability Scoring System (CVSS). FIRST is hosting and serving as custodian for updates to the CVSS, designed to give security professionals, business executives and end users across industries a standard language for measuring vulnerabilities of networked information systems and prioritizing responses.

CVSS was designed by a team of industry-leading companies, including Cisco Systems®, Inc., eBay, Internet Security Systems and Qualys Inc. in support of the U.S. National Infrastructure Advisory Council (NIAC). It is a simple, open, vendor-agnostic system that factors seven base metrics along with time- and environment-dependent metrics in assigning a composite score representing the overall risk presented by a vulnerability.

“CVSS solves the problem of multiple, incompatible scoring systems and is usable and understandable by anyone,” said Gavin Reid, FIRST’s CVSS project manager and a member of Cisco’s Computer Security Incident Response Team. “Because the framework is in its first-generation stage, there is a need for active participation and feedback within the global IT community. FIRST’s goal is to increase the scoring system's usability and acceptance across industries.”

At the initial meeting of FIRST’s CVSS Special Interest Group, early adopters of the system, including Assuria, CERT/CC, Cisco Systems, IBM, Internet Security Systems, JPCERT/CC, netForensics, Pentest Ltd., Qualys, Sintelli, Skybox Security and Unisys, agreed to test the system and look into applicable usage within their companies. More than 30 governments and vendors were represented at the July meeting in Singapore.

“Through CVSS, the security industry has made incredible progress in creating a common language for understanding vulnerabilities and threats,” said Gerhard Eschelbeck, one of the designers of CVSS and chief technical officer of Qualys. “There are already a number of organizations who have committed to CVSS and begun implementation. With the resources and focus of the FIRST team, we’ll be able to take this initiative to the next level of widespread adoption.”

IT specialists interested in finding out how they can participate and reviewing the CVSS framework and tools to facilitate end-user scoring can visit http://www.first.org/cvss.

About CVSS

CVSS, unveiled on the U.S. Department of Homeland's Security's web site on Feb. 23, 2005, grew out of NIAC efforts to promote a common understanding of network threats. In a report released in January 2004, the NIAC defined a vulnerability as “a set of conditions that may lead to an implicit or explicit failure of the confidentiality, integrity or availability of an information system.” The report said that hardware or software design flaws, botched administrative processes, lack of information-security awareness and education and/or failure to adhere to current practices could cause vulnerabilities. The effects, reported the NIAC, could include:

    CVSS, unveiled on the U.S. Department of Homeland's Security's web site on Feb. 23, 2005, grew out of NIAC efforts to promote a common understanding of network threats. In a report released in January 2004, the NIAC defined a vulnerability as “a set of conditions that may lead to an implicit or explicit failure of the confidentiality, integrity or availability of an information system.” The report said that hardware or software design flaws, botched administrative processes, lack of information-security awareness and education and/or failure to adhere to current practices could cause vulnerabilities. The effects, reported the NIAC, could include:
  • one user’s posing or being able to execute commands as another,
  • the ability to access data beyond specified permission levels,
  • abnormal denials of service, unauthorized destruction of data (either intentionally or inadvertently) and
  • exploitation of encryptions weaknesses.
CVSS, unveiled on the U.S. Department of Homeland's Security's web site on Feb. 23, 2005, grew out of NIAC efforts to promote a common understanding of network threats. In a report released in January 2004, the NIAC defined a vulnerability as “a set of conditions that may lead to an implicit or explicit failure of the confidentiality, integrity or availability of an information system.” The report said that hardware or software design flaws, botched administrative processes, lack of information-security awareness and education and/or failure to adhere to current practices could cause vulnerabilities. The effects, reported the NIAC, could include:
  • one user’s posing or being able to execute commands as another,
  • the ability to access data beyond specified permission levels,
  • abnormal denials of service, unauthorized destruction of data (either intentionally or inadvertently) and
  • exploitation of encryptions weaknesses.
  • CVSS, unveiled on the U.S. Department of Homeland's Security's web site on Feb. 23, 2005, grew out of NIAC efforts to promote a common understanding of network threats. In a report released in January 2004, the NIAC defined a vulnerability as “a set of conditions that may lead to an implicit or explicit failure of the confidentiality, integrity or availability of an information system.” The report said that hardware or software design flaws, botched administrative processes, lack of information-security awareness and education and/or failure to adhere to current practices could cause vulnerabilities. The effects, reported the NIAC, could include:

  • one user’s posing or being able to execute commands as another,
  • the ability to access data beyond specified permission levels,
  • abnormal denials of service, unauthorized destruction of data (either intentionally or inadvertently) and
  • exploitation of encryptions weaknesses.
  • CVSS, unveiled on the U.S. Department of Homeland's Security's web site on Feb. 23, 2005, grew out of NIAC efforts to promote a common understanding of network threats. In a report released in January 2004, the NIAC defined a vulnerability as “a set of conditions that may lead to an implicit or explicit failure of the confidentiality, integrity or availability of an information system.” The report said that hardware or software design flaws, botched administrative processes, lack of information-security awareness and education and/or failure to adhere to current practices could cause vulnerabilities. The effects, reported the NIAC, could include:
  • one user’s posing or being able to execute commands as another,
  • the ability to access data beyond specified permission levels,
  • abnormal denials of service, unauthorized destruction of data (either intentionally or inadvertently) and
  • exploitation of encryptions weaknesses.
  • CVSS, unveiled on the U.S. Department of Homeland's Security's web site on Feb. 23, 2005, grew out of NIAC efforts to promote a common understanding of network threats. In a report released in January 2004, the NIAC defined a vulnerability as “a set of conditions that may lead to an implicit or explicit failure of the confidentiality, integrity or availability of an information system.” The report said that hardware or software design flaws, botched administrative processes, lack of information-security awareness and education and/or failure to adhere to current practices could cause vulnerabilities. The effects, reported the NIAC, could include:

  • one user’s posing or being able to execute commands as another,
  • the ability to access data beyond specified permission levels,
  • abnormal denials of service, unauthorized destruction of data (either intentionally or inadvertently) and
  • exploitation of encryptions weaknesses.
  • Different systems for scoring vulnerabilities are in use today. Frequently “home-grown” (developed for specific organizations by their specific IT departments), these systems use different metrics, tend to be Internet-centric, fail to universally accommodate change and do not have provisions for operational environments of varying risk profiles. The CVSS development team sought to overcome these shortcomings and create a system that is freely available and simple to use by anyone, in any operational environment, for measuring any potential vulnerability. The metrics weighed in the CVSS formulas include impact to system availability, data confidentiality and integrity, as well as the vulnerability’s exploitability and potential for collateral damage.

    CVSS, unveiled on the U.S. Department of Homeland's Security's web site on Feb. 23, 2005, grew out of NIAC efforts to promote a common understanding of network threats. In a report released in January 2004, the NIAC defined a vulnerability as “a set of conditions that may lead to an implicit or explicit failure of the confidentiality, integrity or availability of an information system.” The report said that hardware or software design flaws, botched administrative processes, lack of information-security awareness and education and/or failure to adhere to current practices could cause vulnerabilities. The effects, reported the NIAC, could include:
  • one user’s posing or being able to execute commands as another,
  • the ability to access data beyond specified permission levels,
  • abnormal denials of service, unauthorized destruction of data (either intentionally or inadvertently) and
  • exploitation of encryptions weaknesses.
  • Different systems for scoring vulnerabilities are in use today. Frequently “home-grown” (developed for specific organizations by their specific IT departments), these systems use different metrics, tend to be Internet-centric, fail to universally accommodate change and do not have provisions for operational environments of varying risk profiles. The CVSS development team sought to overcome these shortcomings and create a system that is freely available and simple to use by anyone, in any operational environment, for measuring any potential vulnerability. The metrics weighed in the CVSS formulas include impact to system availability, data confidentiality and integrity, as well as the vulnerability’s exploitability and potential for collateral damage.

    CVSS, unveiled on the U.S. Department of Homeland's Security's web site on Feb. 23, 2005, grew out of NIAC efforts to promote a common understanding of network threats. In a report released in January 2004, the NIAC defined a vulnerability as “a set of conditions that may lead to an implicit or explicit failure of the confidentiality, integrity or availability of an information system.” The report said that hardware or software design flaws, botched administrative processes, lack of information-security awareness and education and/or failure to adhere to current practices could cause vulnerabilities. The effects, reported the NIAC, could include:

  • one user’s posing or being able to execute commands as another,
  • the ability to access data beyond specified permission levels,
  • abnormal denials of service, unauthorized destruction of data (either intentionally or inadvertently) and
  • exploitation of encryptions weaknesses.
  • Different systems for scoring vulnerabilities are in use today. Frequently “home-grown” (developed for specific organizations by their specific IT departments), these systems use different metrics, tend to be Internet-centric, fail to universally accommodate change and do not have provisions for operational environments of varying risk profiles. The CVSS development team sought to overcome these shortcomings and create a system that is freely available and simple to use by anyone, in any operational environment, for measuring any potential vulnerability. The metrics weighed in the CVSS formulas include impact to system availability, data confidentiality and integrity, as well as the vulnerability’s exploitability and potential for collateral damage. NIAC is chartered to provide policy advice to the president of the United States. As it looked at the need for a global vulnerability-reporting framework, the NIAC recommended development of a common scoring system, which resulted in CVSS. Both the vulnerability disclosure framework and CVSS are suggested for global users. The NIAC published those reports as a public service, pulling out specific recommendations for the U.S. president. NIAC reports are available at http://www.dhs.gov/niac.

    CVSS, unveiled on the U.S. Department of Homeland's Security's web site on Feb. 23, 2005, grew out of NIAC efforts to promote a common understanding of network threats. In a report released in January 2004, the NIAC defined a vulnerability as “a set of conditions that may lead to an implicit or explicit failure of the confidentiality, integrity or availability of an information system.” The report said that hardware or software design flaws, botched administrative processes, lack of information-security awareness and education and/or failure to adhere to current practices could cause vulnerabilities. The effects, reported the NIAC, could include:
  • one user’s posing or being able to execute commands as another,
  • the ability to access data beyond specified permission levels,
  • abnormal denials of service, unauthorized destruction of data (either intentionally or inadvertently) and
  • exploitation of encryptions weaknesses.
  • Different systems for scoring vulnerabilities are in use today. Frequently “home-grown” (developed for specific organizations by their specific IT departments), these systems use different metrics, tend to be Internet-centric, fail to universally accommodate change and do not have provisions for operational environments of varying risk profiles. The CVSS development team sought to overcome these shortcomings and create a system that is freely available and simple to use by anyone, in any operational environment, for measuring any potential vulnerability. The metrics weighed in the CVSS formulas include impact to system availability, data confidentiality and integrity, as well as the vulnerability’s exploitability and potential for collateral damage. NIAC is chartered to provide policy advice to the president of the United States. As it looked at the need for a global vulnerability-reporting framework, the NIAC recommended development of a common scoring system, which resulted in CVSS. Both the vulnerability disclosure framework and CVSS are suggested for global users. The NIAC published those reports as a public service, pulling out specific recommendations for the U.S. president. NIAC reports are available at http://www.dhs.gov/niac.

    CVSS, unveiled on the U.S. Department of Homeland's Security's web site on Feb. 23, 2005, grew out of NIAC efforts to promote a common understanding of network threats. In a report released in January 2004, the NIAC defined a vulnerability as “a set of conditions that may lead to an implicit or explicit failure of the confidentiality, integrity or availability of an information system.” The report said that hardware or software design flaws, botched administrative processes, lack of information-security awareness and education and/or failure to adhere to current practices could cause vulnerabilities. The effects, reported the NIAC, could include:
  • one user’s posing or being able to execute commands as another,
  • the ability to access data beyond specified permission levels,
  • abnormal denials of service, unauthorized destruction of data (either intentionally or inadvertently) and
  • exploitation of encryptions weaknesses.
  • Different systems for scoring vulnerabilities are in use today. Frequently “home-grown” (developed for specific organizations by their specific IT departments), these systems use different metrics, tend to be Internet-centric, fail to universally accommodate change and do not have provisions for operational environments of varying risk profiles. The CVSS development team sought to overcome these shortcomings and create a system that is freely available and simple to use by anyone, in any operational environment, for measuring any potential vulnerability. The metrics weighed in the CVSS formulas include impact to system availability, data confidentiality and integrity, as well as the vulnerability’s exploitability and potential for collateral damage. NIAC is chartered to provide policy advice to the president of the United States. As it looked at the need for a global vulnerability-reporting framework, the NIAC recommended development of a common scoring system, which resulted in CVSS. Both the vulnerability disclosure framework and CVSS are suggested for global users. The NIAC published those reports as a public service, pulling out specific recommendations for the U.S. president. NIAC reports are available at http://www.dhs.gov/niac. About FIRST

    CVSS, unveiled on the U.S. Department of Homeland's Security's web site on Feb. 23, 2005, grew out of NIAC efforts to promote a common understanding of network threats. In a report released in January 2004, the NIAC defined a vulnerability as “a set of conditions that may lead to an implicit or explicit failure of the confidentiality, integrity or availability of an information system.” The report said that hardware or software design flaws, botched administrative processes, lack of information-security awareness and education and/or failure to adhere to current practices could cause vulnerabilities. The effects, reported the NIAC, could include:
  • one user’s posing or being able to execute commands as another,
  • the ability to access data beyond specified permission levels,
  • abnormal denials of service, unauthorized destruction of data (either intentionally or inadvertently) and
  • exploitation of encryptions weaknesses.
  • Different systems for scoring vulnerabilities are in use today. Frequently “home-grown” (developed for specific organizations by their specific IT departments), these systems use different metrics, tend to be Internet-centric, fail to universally accommodate change and do not have provisions for operational environments of varying risk profiles. The CVSS development team sought to overcome these shortcomings and create a system that is freely available and simple to use by anyone, in any operational environment, for measuring any potential vulnerability. The metrics weighed in the CVSS formulas include impact to system availability, data confidentiality and integrity, as well as the vulnerability’s exploitability and potential for collateral damage. NIAC is chartered to provide policy advice to the president of the United States. As it looked at the need for a global vulnerability-reporting framework, the NIAC recommended development of a common scoring system, which resulted in CVSS. Both the vulnerability disclosure framework and CVSS are suggested for global users. The NIAC published those reports as a public service, pulling out specific recommendations for the U.S. president. NIAC reports are available at http://www.dhs.gov/niac. About FIRST

    CVSS, unveiled on the U.S. Department of Homeland's Security's web site on Feb. 23, 2005, grew out of NIAC efforts to promote a common understanding of network threats. In a report released in January 2004, the NIAC defined a vulnerability as “a set of conditions that may lead to an implicit or explicit failure of the confidentiality, integrity or availability of an information system.” The report said that hardware or software design flaws, botched administrative processes, lack of information-security awareness and education and/or failure to adhere to current practices could cause vulnerabilities. The effects, reported the NIAC, could include:

  • one user’s posing or being able to execute commands as another,
  • the ability to access data beyond specified permission levels,
  • abnormal denials of service, unauthorized destruction of data (either intentionally or inadvertently) and
  • exploitation of encryptions weaknesses.
  • Different systems for scoring vulnerabilities are in use today. Frequently “home-grown” (developed for specific organizations by their specific IT departments), these systems use different metrics, tend to be Internet-centric, fail to universally accommodate change and do not have provisions for operational environments of varying risk profiles. The CVSS development team sought to overcome these shortcomings and create a system that is freely available and simple to use by anyone, in any operational environment, for measuring any potential vulnerability. The metrics weighed in the CVSS formulas include impact to system availability, data confidentiality and integrity, as well as the vulnerability’s exploitability and potential for collateral damage. NIAC is chartered to provide policy advice to the president of the United States. As it looked at the need for a global vulnerability-reporting framework, the NIAC recommended development of a common scoring system, which resulted in CVSS. Both the vulnerability disclosure framework and CVSS are suggested for global users. The NIAC published those reports as a public service, pulling out specific recommendations for the U.S. president. NIAC reports are available at http://www.dhs.gov/niac. About FIRSTFIRST believes that a global approach toward adoption of the new standard is the best strategy. FIRST is uniquely qualified through the international collaboration occurring within the organization on a regular basis to both promote the adoption of CVSS both inside and outside of its membership and to maintain the standard going forward. As part of its mission, FIRST encourages and promotes the development of quality security products, policies and services and computer security best practices.