Anyone in cybersecurity who has had to deal with vulnerabilities in technology systems has inevitably run into the Common Vulnerability Scoring System (CVSS). Whether or not the name is instantly recognizable, phrases determining vulnerabilities as \u201ccritical\u201d or \u201chigh\u201d or the like resonate across the industry. CVSS has been used to provide a standardized method to discuss the characteristics of a vulnerability and ultimately produce a numerical score to reflect its severity as well as a qualitative metric (low, medium, or high) to provide a relative gauge for organizations managing vulnerabilities in their systems and environments.\n\nThe system has existed since 2005 and achieved widespread adoption and has become the definitive vulnerability scoring system utilized by the NIST National Vulnerability Database (NVD). It has been leveraged by leading vulnerability management tooling and vendors.\n\nCVSS is evolving in the face of criticism\n\nDespite widespread adoption, CVSS has faced several strong critiques: Its scoring approach is complex, it\u2019s too subjective, and it\u2019s widely misused for vulnerability prioritization. That said, the CVSS Special Interest Group (CVSS SIG) run by the global cybersecurity forum FIRST has continued to innovate upon the CVSS framework and is on the cusp of releasing CVSS 4.0.\n\nSet for official publication on October 1, 2023, CVSS 4.0 has begun a public preview and comment period. Understanding the update\u2019s key aspects \u2014 what it looks to address, and some of the remaining gaps or challenges that still leave some practitioners skeptical of its use and value \u2014 is helpful in determining whether it will be a vulnerability-scoring breakthrough or a broken system that may need to be rethought.\n\nEarlier in 2023, industry leaders Dave Dugal and Dale Rich, who co-lead the CVSS SIG, gave a talk that covered key items such as the chronology of CVSS, challenges that emerged in CVSS 3.0, and the goals of CVSS 4.0. Dugal and Rich stressed that CVSS is much more than a base score repository and emphasized that the more metrics used to enrich CVSS scoring, the higher its quality. To help alleviate the challenge of widespread use of only the CVSS base score and the underutilization of additional metrics in vulnerability calculations, CVSS 4.0 will introduce the use of new nomenclatures, such as:\n\nKey CVSS changes will include new and revised nomenclature\n\nOther key changes will include the introduction of a new base metric titled Attack Requirements (AT), an update to the User Interaction (UI) metric, and retiring the Scope (S) base metric. Most notably, the longstanding \u201cTemporal\u201d metric has now been renamed to \u201cThreat\u201d, retiring the Remediation Level (RL) and Report Confidence (RC) metrics and renaming Exploit Code Maturity to Exploit Maturity, in recognition that not all exploits are code oriented.\n\nA Supplemental metric group will also be added to account for additional extrinsic attributes of the vulnerability and empower downstream consumers and organizations to apply locally significant context (for example, business criticality, data sensitivity, and mitigating controls) in addition to the supplemental metrics to best prioritize for their unique environment and circumstances.\n\nA comprehensive view of the metric groups and their associated metrics and changes from CVSS 3.1 to 4.0 is visualized below, by security researcher Patrick Garrity of Vulnerability Management company Nucleus Security:\n\nThe Supplemental group will include new metrics\n\nIt is worth noting that only the base metric will be populated in sources such as NVD, as it always has been and it will be up to the CVSS consumer (meaning organizations) to apply additional metrics, such as the Threat Metric, Exploit Maturity, or Environmental and Supplemental metrics to further refine scoring and prioritization.\n\nGiven that the Supplemental metric group is entirely new, we should take a few moments to unpack it and the associated metrics. These include: Automatable, Recovery, Safety, Value Density, Vulnerability Response Effort, and Provider Urgency.\n\nThe Automatable measure examines whether the exploitation can be automated across several targets, which can aid prioritization and severity considerations since such exploits can allow malicious actors to rapidly expand their attack efforts. Recovery is a recognition that some systems may be able to recover automatically, while others may require user intervention or be entirely unrecoverable. Safety is the acknowledgement that systems are increasingly becoming cyber-physical and have the potential to impact the safety of human life.\n\nValue density is specifically organizationally relevant because it represents the resources the system has access to or possesses, such as Limited or Expansive, with regard to the organization. Not all vulnerability exploitation has the same level of effort with regard to response, and that is where Response Effort comes into play. Lastly, Provider Urgency enables consumers to integrate vendor and provider-specific context on how urgent it is to address a vulnerability in a specific product or service.\n\nRemaining challenges for CVSS 4.0\n\nWhile CVSS 4.0 brings several improvements and changes to the metric groups and addresses some long-standing issues, challenges remain. One of the largest problems, and the elephant in the room, is that while CVSS may recommend using more than the base metrics for maximum efficacy, those are ultimately what are populated in sources such as the NVD, with the other metric groups left to be parsed by downstream consumers.\n\nWe know base metrics alone aren\u2019t sufficient to conduct vulnerability prioritization, and additional factors such as environmental or business context and actual exploitation and exploitability of a vulnerability are key as well.\n\nOn the exploited front, sources have emerged, such as the US Cybersecurity and Infrastructure Security (CISA) Known Exploited Vulnerabilities catalog, which is directed to federal agencies but useful for commercial organizations as well. Additionally, and ironically, there is also the Exploit Prediction Scoring System (EPSS), which is starting to get industry traction and is also led by FIRST although by a different special interest group. There is overlap between the two groups, with researchers such as Sasha Romanosky contributing to both CVSS and EPSS.\n\nCVSS not broken, but perhaps incomplete\n\nWith several of the metric groups left to downstream CVSS consumers and organizations to populate with their own organization-specific context, it leaves a lot of work to be done to come up with accurate vulnerability prioritization scoring and actions. This wouldn\u2019t be so bad if it wasn\u2019t for the fact that studies are showing many organizations are dealing with vulnerability backlogs into the hundreds of thousands and struggling to keep up with the ever-increasing rate of vulnerabilities being discovered and disclosed.\n\nThis is much more of an industry-wide problem than a specific CVSS critique, but it does show how CVSS on its own isn\u2019t inherently sufficient for vulnerability prioritization, especially when coupled with previous critiques around the complexity and opacity of its scoring methodology.\n\nThe unfortunate reality is that in an industry that is often led by marketing hype and promises of silver bullets, there isn\u2019t one. No vulnerability scoring system on its own, without being enriched with organization-specific context coupled with accurate coverage of the existing threat landscape will be a panacea for vulnerability prioritization as part of vulnerability management.\n\nThat said, CVSS 4.0 does offer some improvements and promising innovations in cloud-native technologies, APIs, and even AI do offer promise for further automation and efficiency that we haven\u2019t been able to achieve historically. However, we aren\u2019t there quite yet, and organizations need to do the hard work of applying their specific context and circumstances to properly prioritize vulnerabilities, as well as leverage the evolving landscape of vulnerability databases such as NVD, OSS Index, Global Security Database, and GitHub Security Advisories, just to name a few.