What is CVSS?

Definition

CVSS — Common Vulnerability Scoring System — is an open framework for communicating the characteristics and severity of software vulnerabilities. It produces a numerical score from 0 to 10 that represents the severity of a vulnerability, allowing security teams to prioritize remediation efforts based on a consistent, standardized scale.

CVSS is maintained by FIRST (Forum of Incident Response and Security Teams). NVD (National Vulnerability Database) applies CVSS scores to CVE entries, making CVSS scores the primary severity signal in vulnerability management tools worldwide.

CVSS Score Components

CVSS 3.1 (the current widely adopted version) calculates a score from three metric groups:

Base Score

Captures the intrinsic characteristics of the vulnerability — properties that are constant regardless of environment or time:

• Attack Vector (AV) — Network, Adjacent, Local, Physical
• Attack Complexity (AC) — Low or High
• Privileges Required (PR) — None, Low, High
• User Interaction (UI) — None or Required
• Scope (S) — Unchanged or Changed
• Confidentiality Impact (C) — None, Low, High
• Integrity Impact (I) — None, Low, High
• Availability Impact (A) — None, Low, High

Temporal Score

Adjusts the Base Score based on time-sensitive factors: whether exploit code is available, whether a fix exists, and how confident researchers are in the vulnerability report. The Temporal Score decreases over time as patches are released.

Environmental Score

Allows organizations to customize the score based on their specific environment: which security controls are in place, how important the affected system is, and how much impact a breach would have in their context. Environmental scoring enables context-specific prioritization.

CVSS Severity Ratings

CVSS 4.0

CVSS 4.0 was released in 2023 and introduces significant improvements:

• New metric groups: Supplemental (for informational context) and Threat (replacing Temporal)
• More granular attack complexity differentiation
• Better handling of vulnerabilities in OT/ICS/IoT contexts
• Improved scoring for vulnerabilities requiring subsequent system exploitation

Adoption of CVSS 4.0 is gradual — NVD and most tools continue to publish CVSS 3.1 scores, with 4.0 adoption increasing through 2025-2026.

Limitations of CVSS

CVSS is widely used but has well-documented limitations:

• Base Score does not reflect exploitability in practice — a CVSS 9.8 vulnerability with no public exploit and no affected surface in your environment may be lower priority than a CVSS 7.0 with active exploitation
• Base Scores are assigned by CVE reporters who may have different standards — scores are not perfectly consistent across CNAs
• CVSS does not account for the business context of the affected system — a critical system and an internal dev tool get the same score for the same vulnerability
• Score inflation — many vulnerabilities receive 9+ scores, making differentiation within the Critical band difficult

CVSS and Autonomous Code Governance

Hydra uses CVSS Base Scores as the starting point for vulnerability prioritization, enriched with EPSS (Exploit Prediction Scoring System) data on actual exploitation probability and environmental context from the codebase. High-CVSS vulnerabilities trigger autonomous remediation by default; lower-severity findings are batched and scheduled. For critical (9.0+) vulnerabilities in dependencies, Hydra generates upgrade PRs within the hour of NVD enrichment. Environmental scoring adjustments — accounting for compensating controls already present in the codebase — refine priorities further.