Skip to main content
All CollectionsVulnerability Scans
What is a CVSS Score?
What is a CVSS Score?

This guide provides an overview of what a CVSS Score is. CVSS scores are used in Vulnerability Scan and Penetration Test reports.

Matthew Elliott avatar
Written by Matthew Elliott
Updated over 2 years ago

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities.

CVSS provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score is then translated into a user-friendly severity rating (i.e. low, medium, high, and critical) to help organisations properly assess and prioritize their vulnerability management processes.

CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world.

At Defense.com, we use CVSS scores to provide feedback in our Pen Test and Vulnerability Scan Reports.

Below is a breakdown of the level of risk each numerical CVSS score relates to.

RISK LEVEL

DESCRIPTION

CRITICAL
SCORE: 9-10

A critical risk indicates serious and immediate risk to systems and data being compromised.

HIGH
SCORE: 7-9

High risk indicates that a serious weakness or exposure exists.

MEDIUM
SCORE: 4-7

Medium risk indicates that a significant issue needs to be addressed.

LOW
SCORE: 1-4

Low risk indicates minor issues that most of the time are harmless and can be used when profiling an organisation.

Did this answer your question?