Glossary
What Is a CVSS Score?
CVSS (Common Vulnerability Scoring System) is an open standard for rating the severity of security vulnerabilities on a scale from 0 to 10. It provides a consistent way to assess risk across different systems, teams, and organisations - helping security and IT leaders decide what to fix first.
The CVSS Severity Scale
None
No security impact.
0.0
Low
Minor issues, limited impact. Fix during regular maintenance cycles.
0.1 - 3.9
Medium
Meaningful risk, often requiring authentication or user interaction to exploit. Plan remediation within weeks.
4.0 - 6.9
High
Serious risk - can be exploited with some effort. Remediate within days.
7.0 - 8.9
Critical
Severe risk - easily exploitable, high impact on confidentiality, integrity, or availability. Fix immediately.
9.0 - 10.0
How a CVSS Score Is Calculated
CVSS uses a formula based on several metric groups. The Base Score is the primary rating, derived from two sub-groups:
Exploitability Metrics
Attack Vector - Network, adjacent, local, or physical?
Attack Complexity - Simple or requires special conditions?
Privileges Required - None, low, or high access needed?
User Interaction - Does the user need to click something?
Impact Metrics
Confidentiality - Can data be accessed?
Integrity - Can data be modified?
Availability - Can services be disrupted?
Scope - Can the impact spread beyond the vulnerable component?
A vulnerability that requires no authentication, can be exploited over the network with no user interaction, and compromises all three CIA pillars will score near 10.0. One that requires local access, high privileges, and user interaction will score much lower - even if the eventual impact is significant.
Using CVSS Scores Effectively
CVSS provides a useful baseline, but should not be the only factor in remediation decisions. Context matters. A Medium-severity vulnerability on a public-facing payment page may be more urgent than a Critical on an isolated internal tool.
This is why penetration testing is more valuable than vulnerability scanning alone - a pentest proves whether a vulnerability is actually exploitable in your specific environment and demonstrates real-world impact, giving you better data for prioritisation.
SQUR's pentest reports include CVSS scores for every finding, along with exploitation evidence, business impact assessment, and prioritised remediation guidance - so you know exactly what to fix first and why.
Frequently Asked Questions
What is a good CVSS score?
From a defender's perspective, lower is better - ideally 0. Anything rated High (7.0-8.9) or Critical (9.0-10.0) should be prioritised for immediate remediation. Medium (4.0-6.9) should be addressed within a defined timeframe based on context.
What is the difference between CVSS v3 and CVSS v4?
CVSS v4 (released 2023) adds Supplemental Metrics for context like safety impact, automatable exploitability, and provider urgency. It refines base scoring to better distinguish attack vectors. CVSS v3.1 remains widely used, and many tools report both versions.
Should I fix all Critical vulnerabilities first?
Not necessarily. CVSS score should be one factor alongside: whether the vulnerability is actually exploitable (a pentest proves this), whether it's internet-facing, what data is at risk, and whether a known exploit exists in the wild. Context-aware prioritisation leads to better outcomes than purely score-based ordering.