Vulnerability scoring is indeed a very subjective matter. It depends on the context and the expertise of the person scoring the vulnerability. Hence, in the absence of any standard system, scoring the same vulnerability can differ from person to person.
CVSS is a standard system for scoring vulnerabilities. It takes into account several different parameters before concluding the final score. Using CVSS has the following benefits:
- It provides standardized and consistent vulnerability scores
- It provides an open framework for vulnerability scoring, making the individual characteristics of the score transparent
- CVSS facilitates risk prioritization
For simplification purposes, CVSS metrics are categorized into various groups, as shown in the following diagram:
We'll go through each of the metric categories in brief in the section ahead.