What is CVSS?
CVSS, the Common Vulnerability Scoring System, is an open framework maintained by FIRST (Forum of Incident Response and Security Teams). It provides a standardized method to assess the severity of a vulnerability and summarize it into a numeric score from 0 to 10, along with a vector that details how that score was derived.
The score is built from several metric groups: base metrics (intrinsic characteristics of the flaw), temporal metrics (change over time) and environmental metrics (tailoring to your context). In practice, it is most often the base score that is published and used.
Why it matters for your organization
CVSS offers a common language to talk about severity. It lets you compare very different vulnerabilities on a single scale and set simple rules, for example prioritizing everything above a certain threshold.
Its strength is also its limit: it measures potential severity, not the actual risk to your organization. A critical flaw on an isolated, unexposed system can be less urgent than a medium flaw on an exposed server under active attack.
Using CVSS well
- As a starting point, not as the final prioritization verdict.
- Apply environmental metrics to reflect your real context.
- Cross-reference with EPSS to factor in the likelihood of exploitation.
- Check the CISA KEV catalog to flag confirmed exploitation.
Where organizations most often fall short
The most common trap is treating the base score as an absolute directive and mechanically patching every "critical" flaw first. This approach ignores context and likelihood of exploitation, scatters effort, and leaves lower-scored but genuinely dangerous flaws open.