FAQ

Yes, a CVSS score can evolve over time, especially if new information emerges. For example, a public exploit, a patch bypass, or evidence of active exploitation can lead analysts to revise the temporal score or even the base vector if an initial assessment error is detected.

In addition, automated tools like those from the NVD regularly update CVSS scores based on field data and publications. It is therefore recommended that companies periodically revalidate their analyses, especially for critical vulnerabilities.

Yes, there is an official CVSS score calculator provided by the Forum of Incident Response and Security Teams (FIRST), which maintains the CVSS standard. It is accessible online at: https://www.first.org/cvss/calculator.

This calculator allows you to compose a vector by selecting the relevant metrics, and then automatically calculate the scores (base, temporal, environmental).

The CVSS (Common Vulnerability Scoring System) score measures the severity of a vulnerability by assigning it a rating from 0 to 10, where 10 represents an extremely critical flaw. It is designed to provide a standardized and objective assessment of vulnerabilities, so that organizations can compare them with each other and prioritize their remediation.

This score takes into account several aspects: the ease of exploitation, the potential effects on confidentiality, integrity and availability, as well as the conditions necessary for the attack. In summary, the CVSS helps to quantify the inherent level of danger of a security flaw.

CVSS is broken down into three sub-scores:

• Base Score: assesses the intrinsic severity of the vulnerability, independent of any context. It is generally public.
• Temporal Score: adjusts the score based on factors such as the availability of an exploit or patch. It reflects the maturity of the threat.
• Environmental Score: allows organizations to adapt the assessment to their own context (asset importance, exposure, business impact). It is customized to each company.

By combining these three layers, the CVSS model becomes a more flexible tool that allows for refining treatment priorities according to the reality on the ground.

The CVSS scale ranges from 0.0 to 10.0, and each value range is associated with a severity level:

• 0.0: None
• 0.1 to 3.9: Low
• 4.0 to 6.9: Medium
• 7.0 to 8.9: High
• 9.0 to 10.0: Critical

This classification allows organizations to filter vulnerabilities by severity, but it does not take into account the specific context of each company. That's why other criteria, such as active exploitation or the assets involved, should complement this assessment.

The CVSS score is generally defined by the organization that publishes the vulnerability, often a CNA (CVE Numbering Authority) or the software vendor concerned. In addition, entities such as the NVD (National Vulnerability Database) sometimes recalculate or adjust scores to ensure consistency between published CVEs.

Automated tools also allow independent researchers, SOC analysts, or security vendors to recalculate a score based on the published CVSS vector. This means that the same CVE can have several slightly different scores depending on the context and the evaluator, which encourages cross-referencing sources for critical decisions.

The CVSS score measures the intrinsic severity of a vulnerability, but not its actual exploitation, nor its relevance in a given environment. For example, a flaw may have a high score but be difficult to exploit in your infrastructure, or conversely, an average flaw may target a critical, unsegmented system.

For a more accurate risk assessment, it is important to integrate complementary indicators, such as:

• The EPSS score (probability of actual exploitation)
• Membership in the KEV list (confirmed exploitation)
• The business or technical context of the affected environment

Thus, the CVSS should be seen as an indicator of severity, not a complete measure of risk.