CVSS 4.0 vulnerability rating standard fails to provide patch peace-of-mind

Vulnerability patch management isn’t easy, despite 20 years of trying to make it better. The main problem is being able to prioritise the threat risk, and that’s where the Common Vulnerability Scoring System (CVSS) ratings come in — with the latest being the CVSS 4.0 vulnerability rating.

Some background. In a real-world environment, and under extreme pressure to close the most urgent of exploit windows, many businesses rely on the baseline rating of ‘low’ or ‘critical’.

The problem with the latter is that a vulnerability rated critical by a vendor may well not be a critical risk to your organisation. There are many reasons for this, including exploit requirements and the “threat vector”. Indeed, the real-world risk of a critical-rated vulnerability could vary from very low to critical for any given cross-section of business.

This is why many people have been waiting for the latest CVSS standard version to be published: CVSS 4.0 has been eight years in the making. The question is, do the new rating numbers add up to a better understanding of risk and patch prioritisation for most organisations?

What is CVSS?

CVSS, an open framework for “communicating the characteristics and severity of software vulnerabilities”, is both owned and managed by FIRST. This US-based non-profit says that you can think of CVSS as comprising four groupings:

• base
• threat
• environment
• supplemental

While all of these are important, with threat covering vulnerability characteristics that change over time and environment reflecting those related to your specific circumstances, it’s the base rating that, FIRST says, “represents the intrinsic qualities of a vulnerability that are constant over time and across user environments”.

Combining base values with “default values that assume the highest severity for threat and environmental metrics” results in the 0-10 scale, which is then represented as a qualitative severity rating and used by a huge number of organisations to assess patch priority.

“The CVSS system has rapidly developed over the past 18 years, with each version building on our capabilities to defend from cyber criminality,” said Chris Gibson, CEO at FIRST.

How does CVSS 4 help your business prioritise patching?

Pierre Samson, Chief Revenue Officer with Hackuity, calls CVSS 4 “a significant development indicative of the need for enhanced metrics to support businesses in assessing security vulnerabilities”.

He makes this call based on the finer granularity within the base metrics and easier assessment of environment-specific requirements. Supplemental metrics including those covering whether a vulnerability is workable, how resilient to recovery it is, the response effort required and urgency from the provider perspective all playing their part.

Samson concludes: “As threats continue to grow in scale, severity and sophistication it has become increasingly important for organisations to have the most accurate picture of what threats to prioritise based on their own business context.”

Will CVSS 4 work?

But will CVSS 4 really deliver that contextual information where it is needed most, on the frontline of business fighting to defend against the cyber criminal threat?

“The success of CVSS v4 hinges on widespread adoption by the cybersecurity vendors and community, clarity and ease of use of its refined metrics, and precise vulnerability evaluations,” says Saeed Abbasi, from the Threat Research Unit at Qualys.

And that, dear reader, is where I think we will fall short. At least for as long as the base metric is seen as the default and additional downstream context remains an aspirational thing rather than a necessity.