The Forum of Incident Response and Security Teams (FIRST) has officially announced CVSS v4.0, the next generation of the Common Vulnerability Scoring System standard, more than eight years after the release of CVSS v3.0 in June 2015.
“This latest version of CVSS 4.0 seeks to provide the highest fidelity of vulnerability assessment for both industry and the public,” FIRST said in a statement.
One of the core updates to CVSS v3.1, released in July 2019, was to emphasize and clarify that “CVSS is designed to measure the severity of a vulnerability and should not be used alone to assess risk.”
The latest revision to the standard aims to address some of these shortcomings by providing several supplemental metrics for vulnerability assessment, such as Safety (S), Automatable (A), Recovery (R), Value Density (V), Vulnerability Response Effort (RE), and Provider Urgency (U).
It also debuts a new nomenclature to enumerate CVSS scores using a combination of Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE) severity ratings.
The idea, FIRST said, is to “reinforce the concept that CVSS is not just the Base score,” adding “this nomenclature should be used wherever a numerical CVSS value is displayed or communicated.”
Source: https://thehackernews.com/
