The Common Vulnerability Scoring System (CVSS) is a public standard that is maintained by the Forum of Incident Response and Security Teams (FIRST) and provides a method for scoring IT-related vulnerabilities. Additional details and documentation for the standard are available at http://www.first.org/cvss.
CVSS rates a vulnerability according to three groups of metrics:
Base: Describes the severity of the vulnerability from a technical perspective
Temporal: Indicates how a vulnerability changes over time
Environmental: Specifies the impact on a specific running system.
This document focuses on how Cisco uses CVSS. To learn more about the individual metrics or the scoring mechanics, please view the official documentation provided by FIRST.
The Cisco Product Security Incident Response Team (PSIRT) handles security vulnerabilities in all Cisco products. It is the only team tasked with communicating information about vulnerabilities in Cisco products to customers.
PSIRT also assigns and communicates CVSS scores to Cisco customers. In addition to external communications, PSIRT also uses CVSS as a major component in prioritizing the teamís workload.
CVSS Usage Within PSIRT
Cisco began transitioning to CVSSv3.1 in May 2020. Cisco security publications that were initially released after the January 2017 adoption of CVSSv3.0, but prior to the CVSSv3.1 transition, will reflect scores in CVSSv3.0.
When PSIRT receives a report of a potential vulnerability, PSIRT assigns a Base score to the vulnerability. This initial score is considered preliminary because it is often assigned without actually reproducing the issue described in the report. In scenarios where a vulnerability has a sufficiently high Base score and can be triggered by mobile autonomous code (for example, a virus or worm), a PSIRT manager will immediately start working on the report.
Regardless of the preliminary score, it is recorded with all known information at the time. The preliminary Base score is a major component that determines how soon a PSIRT Incident Manager takes the report from the input queue. Higher-priority cases (those cases with higher Base scores) are usually selected first. To prevent reports with lower scores from remaining in the input queue for too long, the next available Incident Manager may be asked to verify the older reports instead of a more recent report with a higher score.
When a PSIRT Incident Manager begins working on a report, the preliminary score may change. Although the score is assigned before all the facts about a vulnerability are known, the score does not necessarily change. Experience, knowledge of Cisco products, and knowledge of how those products are deployed help Incident Managers assign the correct score at the onset of scoring. Liaisons with other groups within and outside of Cisco are also helpful.
To ensure the most accurate and consistent scoring, the scores are verified by a second Incident Manager. Each report accepted by PSIRT has a primary and a backup owner. The primary owner actively works on the report while the backup owner monitors the situation and provides assistance when required. The primary duties of a backup owner include verifying the CVSS score assigned by the primary Incident Manager.
For reports in which these two scores do not match, the primary and backup Incident Managers reconcile any differences. Differences may occur when aspects of the report are understood differently, or when the backup Incident Manger can provide new insight or additional information that may affect overall report understanding. Whatever situation occurs, the primary and backup managers must agree on a single score.
This process produces the final score and, in nearly all instances, it is the score that will be presented in the Cisco Security Advisory or other PSIRT publication. During review, new information may be uncovered that changes the Base score.
Cisco uses CVSS to provide customers with a single and common scoring system that is used by multiple vendors. In situations where vendors use their own proprietary scoring systems, it can be difficult for customers to determine the relative importance of reported vulnerabilities. The decision maker who must, for example, choose how an "Important" vulnerability in one product relates to an "Easy/Wide" confidentiality impact in another product has a difficult task. CVSS removes the obstacle of multiple scoring systems. Customers can use the same metrics to compare vulnerabilities and make timely, informed decisions on the relative impact to their environments.
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.