Safeguard
Vulnerability Management

CVSS scoring

What is CVSS? A clear breakdown of the Common Vulnerability Scoring System, base vs temporal scores, CVSS v4 changes, and how to prioritize real risk.

Aman Khan
AppSec Engineer
7 min read

CVSS, the Common Vulnerability Scoring System, is the industry-standard framework for measuring how severe a software vulnerability is, expressed as a number from 0.0 to 10.0. If you've ever looked at a CVE entry and wondered why one flaw is rated "9.8 Critical" while another sits at "4.3 Medium," the answer is CVSS. So what is CVSS, exactly? It's a vendor-neutral standard maintained by FIRST (the Forum of Incident Response and Security Teams) that converts technical characteristics of a vulnerability — how it's exploited, what it compromises, how hard it is to pull off — into a single, comparable score. Security teams use that score to triage the flood of vulnerabilities hitting their systems every week, deciding what gets patched tonight versus next quarter. It's not a perfect measure of real-world risk, but it's the common language every vendor, scanner, and compliance framework speaks.

What Is CVSS and Why Does It Matter?

CVSS is a scoring standard, not a single number generator — it's a formula-driven system that translates a vulnerability's technical properties into a 0-10 severity rating, with 10 being the most severe. It was created because before CVSS existed (the first version shipped in 2005), every vendor had its own ad-hoc severity labels, and "critical" from one vendor might mean something totally different from "critical" at another. That made it nearly impossible for a security team managing tools from a dozen vendors to prioritize consistently. CVSS fixed that by defining a shared vocabulary: metrics like Attack Vector, Attack Complexity, Privileges Required, and Impact, each with defined values that feed into a documented formula.

The practical reason CVSS matters is prioritization at scale. A mid-size company might see hundreds of new CVEs a month across its dependencies, containers, and infrastructure. Nobody can manually triage that volume. CVSS gives teams a defensible, repeatable way to say "fix the 9.x scores this week, schedule the 4.x scores for the next patch cycle" — and to justify that decision to auditors, executives, and customers who ask why a given vulnerability wasn't remediated sooner.

How Is a CVSS Score Explained Through Its Metrics?

A CVSS score explained properly comes down to three metric groups: Base, Temporal, and Environmental, though most of what you see in a CVE record is the Base score alone. The Base score captures the intrinsic, unchanging characteristics of a vulnerability — things that don't shift based on the passage of time or the specific environment it's found in. It's built from two sub-groups: Exploitability metrics (Attack Vector, Attack Complexity, Privileges Required, User Interaction) and Impact metrics (Confidentiality, Integrity, Availability, each rated None/Low/High).

Take a concrete example: CVE-2021-44228, better known as Log4Shell, scored a 10.0 under CVSS v3.1. It earned that maximum score because it hit every worst-case value — Attack Vector: Network (exploitable remotely over the internet), Attack Complexity: Low (no special conditions needed), Privileges Required: None (no authentication needed), User Interaction: None (no victim action required), and High impact across confidentiality, integrity, and availability, since a successful exploit gave attackers full remote code execution. Compare that to a vulnerability requiring local disk access and administrator privileges to trigger a minor information leak — even if the underlying bug class is similar, that one might score in the 3-4 range because the exploitability metrics are all far less favorable to the attacker.

What's the Difference Between CVSS Base vs Temporal Score?

The CVSS base vs temporal score distinction is about time: the base score is fixed at disclosure, while the temporal score adjusts it as real-world conditions evolve. Temporal metrics layer on top of the base score to reflect three things that change after a vulnerability becomes public: Exploit Code Maturity (is there a proof-of-concept, or is it actively being exploited with weaponized tooling?), Remediation Level (is there an official patch, a workaround, or nothing at all?), and Report Confidence (is the vulnerability confirmed, or still unverified?).

In practice, a vulnerability might launch with a base score of 7.5 and a temporal score of 6.8 because no exploit code exists yet and a vendor patch is already available. Six months later, if a working exploit gets published on GitHub and starts showing up in commodity malware kits, the temporal score climbs toward the base score again — same underlying flaw, but the operational urgency has clearly increased. Very few organizations track temporal scores manually because they require continuous updates, which is exactly the kind of thing threat intelligence feeds and vulnerability management platforms are built to automate.

What Changed in CVSS v4?

CVSS v4 changes address the biggest long-standing criticism of the standard: that a single base score doesn't tell you much about actual exploitation risk or business impact. Released by FIRST in late 2023, CVSS v4.0 retired the old "Temporal" naming in favor of "Threat" metrics, added a new Supplemental metric group (covering things like Automatable, Recovery, and Safety impact), and — most significantly — split Impact into separate Vulnerable System and Subsequent System metrics. That last change directly targets scenarios where a vulnerability in one component cascades into a completely different system, such as a compromised library that lets an attacker pivot into a connected database or cloud service — something CVSS v3.1's single impact score couldn't represent well.

CVSS v4 also removed the much-maligned "Scope" metric from v3.1, which many practitioners found confusing and inconsistently applied, and replaced it with the clearer vulnerable/subsequent system split. For organizations still running v3.1 scoring in their tools, the transition matters because scores calculated under v4 are not directly comparable to v3.1 scores for the same vulnerability — a 7.2 under v3.1 might land at a different value under v4 for reasons unrelated to the actual severity of the flaw, purely due to methodology changes.

How Does CVSS Fit Into the Broader Vulnerability Scoring Landscape?

The Common Vulnerability Scoring System is the foundation most other vulnerability prioritization tools build on top of, rather than replace. NVD (the National Vulnerability Database) publishes a CVSS base score for nearly every CVE, and that score feeds directly into SCA tools, container scanners, and SIEM correlation rules across the industry. But CVSS was never designed to answer "is this actively being exploited against organizations like mine right now?" — that's a threat-intelligence question, which is why frameworks like EPSS (Exploit Prediction Scoring System) and CISA's Known Exploited Vulnerabilities (KEV) catalog have emerged as complements, not replacements. A vulnerability can carry a CVSS score of 9.8 and see zero real-world exploitation, while another sits at 6.1 and is actively weaponized in ransomware campaigns. Mature vulnerability management programs use CVSS as the starting filter and then layer EPSS likelihood data, KEV status, and asset context (is this internet-facing? does it touch regulated data?) on top before deciding what actually gets fixed first.

How Safeguard Helps

Safeguard treats CVSS as a starting point, not a finish line. Our platform ingests CVSS base scores for every vulnerability detected across your software supply chain — dependencies, container images, build artifacts, and infrastructure-as-code — and automatically layers in the context that a raw score can't provide: whether the vulnerable code path is actually reachable in your application, whether the component is exposed to the internet, whether an exploit is known to exist in the wild, and whether the affected package sits in a production build versus a dev-only dependency.

That means when Safeguard surfaces a finding, your team isn't staring at a spreadsheet of CVSS numbers trying to guess what matters. A 9.8 in a library your code never calls gets deprioritized automatically, while a 6.5 with a confirmed public exploit and a direct path to a production service gets flagged for immediate remediation. Safeguard also tracks how scores shift over time — including the transition from CVSS v3.1 to v4.0 scoring across your vulnerability inventory — so nothing falls through the cracks because a vendor re-scored an old CVE. For compliance teams, Safeguard maintains an auditable record of every CVSS score, remediation decision, and SLA tied to your patching policy, so when an auditor asks why a critical vulnerability was remediated within 48 hours or deferred with documented compensating controls, the evidence is already there. The result is a vulnerability management workflow that uses CVSS the way it was intended — as one strong signal among several — rather than treating it as the entire risk equation.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.