CVSS Scoring and Vulnerability Prioritization
Learn how the Common Vulnerability Scoring System rates severity and how security teams use scores to prioritize patching and remediation work.
Why Vulnerability Prioritization Matters
After running a vulnerability scan, an organization may discover hundreds or thousands of vulnerabilities across their systems. Trying to patch everything immediately is neither possible nor strategic — resources are limited and not all vulnerabilities carry equal risk. Vulnerability prioritization is the process of ranking vulnerabilities by their actual risk to the organization so that the most dangerous issues are addressed first. Effective prioritization prevents the common mistake of patching minor cosmetic issues while a critical remote code execution vulnerability waits in the queue.
What Is CVSS?
The Common Vulnerability Scoring System (CVSS) is an open framework that provides a standardized numerical score (0.0-10.0) representing the severity of a security vulnerability. CVSS is maintained by FIRST (Forum of Incident Response and Security Teams) and is the primary scoring system used in the NVD (National Vulnerability Database). The current version, CVSS v3.1, calculates scores based on three metric groups: Base (intrinsic vulnerability characteristics), Temporal (factors that change over time), and Environmental (organization-specific modifiers). Only the Base Score is required; the others are optional refinements.
# CVSS v3.1 severity ratings:
# 0.0: None
# 0.1-3.9: Low
# 4.0-6.9: Medium
# 7.0-8.9: High
# 9.0-10.0: Critical
# Example CVSS scores:
# EternalBlue (CVE-2017-0144): 9.8 Critical
# Heartbleed (CVE-2014-0160): 7.5 High
# Log4Shell (CVE-2021-44228): 10.0 Critical
# Shellshock (CVE-2014-6271): 9.8 CriticalAll lessons in this course
- Vulnerability Scanning vs Penetration Testing
- Common Scanning Tools: Nessus, OpenVAS, Nmap
- Penetration Testing Phases: Recon to Reporting
- CVSS Scoring and Vulnerability Prioritization