The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. Right-click and copy a URL to share a post.

Please use our LinkedIn page, or the CVE Request Web Form by selecting “Other” from the dropdown, to comment on the post below.

A Look at the CVE and CVSS Relationship

Comment on LinkedIn | Share this post

We’ve received a few questions recently about CVSS and vulnerability severity scoring, so as a reminder, CVSS is a separate program from CVE.

CVE is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities. CVE does not provide severity scoring or prioritization ratings for software vulnerabilities.

CVSS Defined

While separate from CVE, the Common Vulnerability Scoring System (CVSS) standard operated by the Forum of Incident Response and Security Teams (FIRST) can be used to score the severity of software vulnerabilities identified by CVE Entries.

CVSS Version 3.0 provides “a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity, as well as a textual representation of that score. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.”

CVE Entries are cited in the CVSS specification and documentation to identify individual vulnerabilities used as examples, but they are not required for using CVSS.

NVD Hosts a CVSS Calculator for CVE Entries

Severity rating scoring and prioritization for CVE Entries is available through a CVSS calculator provided by the U.S. National Vulnerability Database (NVD).

According to the NVD website, which is operated by the National Institute of Standards and Technology (NIST), NVD’s CVSS calculator for CVE Entries supports both the CVSS 2.0 and CVSS 3.0 standards, and provides qualitative severity rankings for CVE Entries using each version. In addition, NVD’s CVSS calculator also allows users to add two additional types of score data into their severity scoring: (1) temporal, for “metrics that change over time due to events external to the vulnerability,” and (2) environmental, for “scores customized to reflect the impact of the vulnerability on your organization.”

For details and help, visit NVD’s CVSS Calculator for CVE Entries on the NVD website.

CVE, CVSS, and NVD

To recap, CVE does not provide severity scoring or prioritization and does not have a direct relationship with CVSS. The sole purpose of the CVE List is to provide common identifiers—CVE Entries—for publicly known cybersecurity vulnerabilities.

CVE Entries can be scored for severity and prioritization using FIRST’s CVSS standard.

NIST’s NVD provides a free CVSS calculator for CVE Entries. NVD also provides a download on the NVD website of “CVSS scores for all published CVE vulnerabilities.” Visit the NVD website to learn more.

Did We Point You in the Right Direction?

To discuss this post with us, please use our LinkedIn page or the CVE Request Web Form by selecting “Other” from the dropdown.

We look forward to hearing from you!