CVSS Scores

The Common Vulnerability Scoring System (CVSS) is an open, standardized method for rating the severity of security vulnerabilities. CVSS was developed by the Forum of Incident Response and Security Teams (FIRST). The National Institute of Standards and Technology (NIST) has provided CVSS scores for all Common Vulnerabilities and Exposures (CVE) in its database.

If a vulnerability covered by Tripwire does not have a CVE, it will not have a NIST-calculated CVSS score.  In this case, Tripwire calculates a CVSS score based on the attributes of the vulnerability.  NIST does not calculate a Temporal Score Metric for any CVSS score.  Consequently, Tripwire calculates Temporal Score Metrics for all CVSS scores, irrespective of whether the CVSS scores were calculated by NIST or by Tripwire.  The Temporal Score Metric is accompanied by a Temporal Score Vector, which describes the attributes used to calculate the Temporal Score Metric.

The calculator used to create CVSS scores is available at NIST’s National Vulnerability Database. More information about CVSS is available from FIRST.