CVE/CVSS Vulnerability Scoring

CVE (Common Vulnerabilities and Exposures) is a standardized dictionary of publicly disclosed cybersecurity vulnerabilities maintained by MITRE Corporation and sponsored by the US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Each CVE entry receives a unique identifier in the format CVE-YYYY-NNNNN, a brief description of the vulnerability, and references to advisories, patches, and proof-of-concept code. The CVE program enables security teams, vendors, and researchers to communicate about specific vulnerabilities using a common language, avoiding the confusion that arose when different vendors assigned different names to the same vulnerability.

CVSS (Common Vulnerability Scoring System), maintained by FIRST (Forum of Incident Response and Security Teams), provides a standardized numerical method for rating the severity of software vulnerabilities. CVSS v3.1 (and the recently published CVSS v4.0) scores vulnerabilities on a scale from 0.0 to 10.0 across three metric groups. The Base Score captures the intrinsic characteristics of a vulnerability — attack vector (network, adjacent, local, physical), attack complexity, privileges required, user interaction, scope (whether exploitation can affect components beyond the vulnerable component), and the impact on confidentiality, integrity, and availability. The Temporal Score adjusts the base score based on the current state of exploit techniques and available remediations. The Environmental Score further adjusts the score based on the specific characteristics and importance of the affected system in the target environment.

Organizations use CVSS scores as a primary input to vulnerability management programs that must triage and prioritize thousands of vulnerabilities identified by vulnerability scanners (such as Tenable Nessus, Qualys, or Rapid7 InsightVM) across their IT and OT environments. However, CVSS base scores alone can be misleading — a critical CVSS 9.8 score for a vulnerability in a library used only in an isolated internal system may require less urgent remediation than a CVSS 7.5 score in an internet-facing application processing sensitive data. The CISA Known Exploited Vulnerabilities (KEV) catalog and threat intelligence feeds that indicate active exploitation in the wild are essential supplements to CVSS scoring for effective prioritization.

Engineering practices for vulnerability management include integrating CVE/CVSS data into software composition analysis (SCA) tools in CI/CD pipelines, automating patch assessment and deployment through configuration management platforms, building SBOM (Software Bill of Materials) registries that enable rapid impact assessment when new CVEs are published, and implementing compensating controls (such as WAF rules or network segmentation) for vulnerabilities that cannot be immediately patched. CVSS scores also inform penetration testing scoping decisions and are referenced in vendor risk assessment questionnaires and third-party security review processes.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.