The Forum of Incident Response and Security Teams (FIRST) on Monday pushed out a refresh of its CVSS vulnerability scoring standard as part of an attempt to provide more data and remove ambiguities in rating the severity of downstream issues.
The updated standard, used by organizations to rate the severity of known software flaws, offers finer granularity in base metrics for consumers, removes downstream scoring ambiguity and simplifies threat metrics, FIRST said.
The non-profit collective, which includes more than 650 organizations from more than 100 countries, said several supplemental metrics for vulnerability assessment were added to flag bugs that may be Automatable (wormable), Recovery (resilience), Value Density, Vulnerability Response Effort and Provider Urgency.
“A key enhancement to CVSS v4.0 is also the additional applicability to OT/ICS/IoT, with Safety metrics and values added to both the Supplemental and Environmental metric groups,” the group said.
The CVSS standard provides a way to capture the principal characteristics of a security vulnerability and produces a numerical score reflecting [a vulnerability’s] technical severity to inform and…
