Common Vulnerability Scoring System

Author

Mell, Peter ; Scarfone, Karen ; Romanosky, Sasha

Author_Institution

Comput. Security Div., US Nat. Inst. of Stand. & Technol., Gaithersburg, MD

Volume

4

Issue

6

fYear

2006

Firstpage

85

Lastpage

89

Abstract

Historically, vendors have used their own methods for scoring software vulnerabilities, usually without detailing their criteria or processes. This creates a major problem for users, particularly those who manage disparate IT systems and applications. The Common Vulnerability Scoring System (CVSS) is a public initiative designed to address this issue by presenting a framework for assessing and quantifying the impact of software vulnerabilities. Organizations currently generating CVSS scores include Cisco, US National Institute of Standards and Technology (through the US National Vulnerability Database; NVD), Qualys, Oracle, and Tenable Network Security. CVSS offers the following benefits: 1) standardized vulnerability scores, 2) contextual scoring and 3) open framework. The goal is for CVSS to facilitate the generation of consistent scores that accurately represent the impact of vulnerabilities

Keywords

DP industry; security of data; software maintenance; software management; software reliability; IT systems; common vulnerability scoring system; consistent scores; contextual scoring; open framework; software vulnerability; standardized vulnerability scores; Application software; Authentication; Computer security; Cryptography; Dictionaries; Operating systems; Privacy; Standards publication; Uniform resource locators; CVE; Common Vulnerabilities and Exposures; NVD; National Vulnerability Database; vulnerability assessment;

fLanguage

English

Journal_Title

Security & Privacy, IEEE

Publisher

ieee

ISSN

1540-7993

Type

jour

DOI

10.1109/MSP.2006.145

Filename

4042667