The Common Vulnerability Scoring System (CVSS)

To date, a number of commercial computer security vendors and not-for-profit organizations have developed, promoted, and implemented systems to rank information system vulnerabilities. Unfortunately, there is no cohesion or interoperability among those systems and they are limited in scope as to what they cover. This document proposes an open and universal vulnerability scoring system to address and solve these shortcomings, with the ultimate goal of promoting a common language to discuss vulnerability severity and impact.

Mike Schiffman, Gerhard Eschelbeck, Andrew Wright, Dave Ahmad, Sasha Romanosky, others

Page last updated: Wed Jun 8 11:44:04 PDT 2005

A Complete Guide to The Common Vulnerability Scoring System

The original NIAC paper

A sample CVSS implementation

A better CVSS implementation

My RSA 2005 presentation

The DHS NIAC page

Back to Papers