CVSS v4.0 Released with New Supplemental Metrics, and OT/ICS/IoT Support


  • FIRST has released the fourth instalment of the CVSS standard.
  • CVSS v4.0 offers superior applicability to OT (Operational Technology), ICS (Industrial Control Systems), and the IoT (Internet of Things) technologies.
  • The new version boasts many new tweaks and features to help security experts accurately assess vulnerabilities’ severity.
  • Version 4.0 has finer granularity in base metrics, eliminates downstream scoring ambiguity, and simplifies threat metrics.
  • FIRST has also added supplemental metrics for vulnerability assessment and safety metrics for Supplemental and Environmental metric groups.

The non-profit collective Forum of Incident Response and Security Teams (FIRST), has released the new version of their Common Vulnerability Scoring System (CVSS), CVSS 4.0. Its first look was unveiled at the 35th Annual FIRST Conference in Montréal. Canada.

CVSS is a standard that security experts use to measure the severity level of software vulnerabilities. It is used to capture the key characteristics of a security flaw. It indicates its severity level with a numerical score reflecting whether it is a low, medium, high, or critical severity flaw. This helps alert government agencies, businesses, the general public, and service providers to implement protective measures accordingly.

 The key changes in CVSS v4.0 include:

Finer granularity in base metrics for consumers:

CVSS 4.0 offers customers more granular control over the way they score vulnerabilities so that they can tailor the scoring system to their specific needs and assess vulnerabilities in real time.

Removal of downstream scoring ambiguity:

CVSS 3.0 and earlier versions weren’t foolproof, and there was some potential for ambiguity in scoring when downstream vulnerabilities were to be scored. However, the new version eradicates the possibility of ambiguity by offering extensive guidance on scoring downstream vulnerabilities.

Simplification of threat metrics:

The new version combines threat metrics into a single metric to simplify them and make it easier for consumers to understand/use the scoring system.

Supplemental metrics for vulnerability assessment:

CVSS v4.0 offers additional supplemental metrics for assessing vulnerabilities. These include Automatable, Value Density, Recovery, Provider Urgency, and Vulnerability Response Effort. These new metrics offer extended information about vulnerabilities so that security experts can make informed decisions about remediation efforts.

Increased applicability to OT/ICS/IoT:

The new CVSS version is more applicable to OT/ICS/IoT systems due to the addition of Safety metrics and values to Supplemental and Environmental metric groups. This helps in the accurate scoring of flaws found in these systems.

Base score:

The new version calculates the base score with a new formula that examines certain factors, including the vulnerability’s impact on integrity, confidentiality, availability, exploitability, and scope (which means the number of systems and users a vulnerability can impact).

Temporal score:

The temporal score will now consider the vulnerability’s age and availability of exploits. Through CVSS 4.0, it is possible to check the current threat status of any vulnerability and accordingly modify protection measures.

Another notable feature is the modification of nomenclature as CVSS will not just be the Base core now. Here is an overview of the new nomenclature.

  • § CVSS-B: CVSS Base Score
  • § CVSS-BT: CVSS Base + Threat Score
  • § CVSS-BE: CVSS Base + Environmental Score
  • § CVSS-BTE: CVSS Base + Threat + Environmental Score

Overall, CVSS v4.0 is a powerful package offering considerable improvements compared to earlier versions and provides organizations with a more accurate and comprehensive mechanism to assess software vulnerabilities.

“This latest release marks a significant step forward with added capabilities crucial for teams with the importance of using threat intelligence and environmental metrics for accurate scoring at its core,” FIRST said.

More details on the new version are available here.

Related Posts