FAQ

Yes, a CVSS score can evolve over time, especially if new information emerges. For example, a public exploit, a patch bypass, or evidence of active exploitation can lead analysts to revise the temporal score or even the base vector if an initial assessment error is detected.

In addition, automated tools like those from the NVD regularly update CVSS scores based on field data and publications. It is therefore recommended that companies periodically revalidate their analyses, especially for critical vulnerabilities.

Yes, there is an official CVSS score calculator provided by the Forum of Incident Response and Security Teams (FIRST), which maintains the CVSS standard. It is accessible online at: https://www.first.org/cvss/calculator.

This calculator allows you to compose a vector by selecting the relevant metrics, and then automatically calculate the scores (base, temporal, environmental).

CVSS is broken down into three sub-scores:

• Base Score: assesses the intrinsic severity of the vulnerability, independent of any context. It is generally public.
• Temporal Score: adjusts the score based on factors such as the availability of an exploit or patch. It reflects the maturity of the threat.
• Environmental Score: allows organizations to adapt the assessment to their own context (asset importance, exposure, business impact). It is customized to each company.

By combining these three layers, the CVSS model becomes a more flexible tool that allows for refining treatment priorities according to the reality on the ground.