Vulnerability Taxonomies
CVSS
CVSS (Common Vulnerability Scoring System) is the industry-standard scoring framework for assessing the severity of software vulnerabilities. Maintained by FIRST.org, the current version is CVSS 4.0 (published 2023) with CVSS 3.1 still widely used in legacy advisory databases.
Definition
CVSS (Common Vulnerability Scoring System) is the industry-standard scoring framework for assessing the severity of software vulnerabilities. Maintained by FIRST.org, the current version is CVSS 4.0 (published 2023) with CVSS 3.1 still widely used in legacy advisory databases.
What it means
CVSS produces a base score (0.0–10.0) intended to represent the intrinsic severity of a vulnerability, plus optional temporal and environmental score adjustments. The base score is derived from a structured vector covering attack vector, attack complexity, privileges required, user interaction, scope, and impact on confidentiality / integrity / availability.
The most common misuses we see are: treating CVSS base score as a prioritization signal in isolation (ignoring exploitability and asset value), using a single environmental score for an entire estate (where realistic context varies sharply per system), and re-scoring CVSS to "look reasonable" without documenting the score-vector rationale.
For Melina engagement reporting, CVSS is one signal among several. We pair it with exploitability assessment (whether a working exploit path exists in the engagement scope), business-context severity, and where appropriate EPSS probability scores.
Related terms
Authoritative sources
- CVSS 4.0 specification (FIRST) - CVSS 3.1 specification (FIRST)
---