Measuring the risks posed by vulnerabilities — to the greatest degree of accuracy — is no simple task. It’s common for organizations to use the Common Vulnerability Scoring System (CVSS) by default, to come to terms with the size and scope of vulnerabilities. But while CVSS is a useful tool, it’s not immune from its own vulnerabilities.

How does vulnerability scoring work?

Vulnerability scoring systems are tools used to determine the risk associated with software or system vulnerabilities. The numerical score helps IT and security teams know how and where to direct their resources to get in front of potential risks.

Vulnerability scoring takes into account factors such as the complexity of exploiting a vulnerability, the potential impact on the affected systems and whether administrative access or user interaction is required for an attack to succeed.

CVSS is among multiple scoring method frameworks, though it has become the industry-leading one. That’s because it introduces a high degree of consistency in communication about vulnerabilities.

What is the Common Vulnerability Scoring System (CVSS)?

CVSS has emerged as the go-to method for calculating the severity of vulnerabilities. The idea is to standardize how stakeholders assess and rank vulnerabilities based on a numerical scale from 0 to 10.

What factors are considered in CVSS?

CVSS assigns significance to vulnerabilities across the enterprise infrastructure using several criteria, such as:

  • Attack vector: What’s the source of the vulnerability? For instance, does it exist locally on the machine, remotely across a network or is another context at play?
  • Access complexity: How difficult or complex is the exploitation process?
  • Authentication: Is user authentication necessary for the exploitation to take hold?
  • Impact: How might the threat impinge on system confidentiality, integrity or availability?
  • User interaction: Does the event require a user to take action, such as clicking on a link in a phishing email?

Each of these domains is assigned scores. Then they’re aggregated to generate an overall CVSS severity rating.  

CVSS nomenclature

CVSS scores are commonly categorized into severity levels:

  • Low (0.1–3.9): Minor risk, with slight potential for detriment.
  • Medium (4.0–6.9): Indicative of moderate risks that should be acted on.
  • High (7.0–8.9): Serious vulnerabilities that necessitate prompt action.
  • Critical (9.0–10): Vulnerabilities with high urgency due to grave potential for extensive exploitation.

Are there other vulnerability scoring systems?

Other vulnerability scoring approaches like the Exploit Prediction Scoring System (EPSS) exist. The reality is, however, that no one has enjoyed broad adoption like CVSS has.

Where vulnerability scoring systems fall short

It’s true that CVSS provides a basic assessment of vulnerabilities. Unfortunately, it’s lacking on several fronts, which makes it insufficient when used alone.

Static scoring and blind spots

One area where CVSS falls short is that it uses a static, fixed scoring model. The system assigns a severity score when a vulnerability is first identified. This score never updates, despite when circumstances change. As you might imagine, this is flawed because a vulnerability classified as “low” today may transition to a higher priority in the future. Put simply, CVSS only captures a picture in time and doesn’t account for changes in the landscape.

For example, a “5.0” medium score may seem insignificant at first blush. Further down the road, if an exploit is discovered and escalates, the inherent risk increases drastically. Without the benefit of additional context, decision-makers may misproritize a vulnerability.

What is risk context?

Another potential shortfall of CVSS is that it may not adjust for the specific operational environment or risk context of an organization. The risk of a vulnerability is often dependent on the organization and context. For instance, a vulnerability on a public-facing server at a bank will present a greater risk than the same vulnerability on an internal server used by a few people in a department. A “low-severity” vulnerability could be disastrous for organizations that handle sensitive data, such as hospitals. The potential to expose healthcare records carries a higher regulatory risk than other kinds of leaked customer data. The regulatory context informs the elevated organizational risk.

Put simply, risk context matters. Each applicable vulnerability must be judged in the appropriate organizational and usage context — potentially folding into broader risk management efforts for the organization.

Calculating vulnerability scores

CVSS falls short in prioritization, as brought to life by this example:

A CVSS score of 5.0 could suggest moderate severity. Basing a decision on this static number alone could cause a vulnerability to be prematurely dismissed. The vulnerability could remain unaddressed and pose a latent and improperly categorized risk for the organization.

In contrast, a leader should engage the context for vulnerability. Management may notice that the CVSS 5.0 vulnerability is trending on exploit feeds, has related ransomware exploits‌ and exists on highly critical servers. These additional “red flag” conditions mean the vulnerability may threaten the organization’s operations — and therefore must be appropriately prioritized based on risk. 

In short, relying on CVSS alone is equivalent to tunnel vision and may leave organizations vulnerable.

A better approach to vulnerability scoring

A one-size-fits-all vulnerability score has limitations. Ivanti’s Vulnerability Risk Rating (VRR) goes beyond static CVSS scores by drawing on dynamic context and environmental factors to gauge risk.

What factors are used to generate a vulnerability risk rating?

VRR is defined by layering context on top of traditional CVSS inputs:

  • CVSS scores: Used as an initial baseline.
  • Exploitability: Is the vulnerability actively being exploited?
  • Trends: Is the vulnerability featured in exploit kits, ransomware campaigns or other malicious tools?
  • Severity dynamics: VRR is updated as new risks come on the scene, making it responsive and relevant to the latest threats.

VRR informs organizations with real-world prioritization. In practice, this means that high-risk vulnerabilities don’t slip through the cracks while low-risk issues don’t put additional strain on teams who may already be spread thin.

Proactive vulnerability management starts here

Smart vulnerability management should be concerned with more than filling in gaps. It’s about broadening your view, too. Static, generic scoring systems no longer support the needs of the modern IT environment.

With Ivanti’s VRR, organizations stand to gain a great deal. For one, you can rest assured that remediation efforts align with real-world risk. Visibility into organizational health and risk posture gives you an edge as you look to stay ahead of threats. Not to mention the ability to demonstrate reduced risk is essential for cyber insurance and compliance.

Leveling up on vulnerability management means looking beyond the limitations of CVSS.