New CVSS 4.0 scoring system

It’s encouraging to see FIRST moving forward with CVSS 4.0. Vulnerability scoring has long been a challenge and scrutinized by users as too subjective. The applicability of a CVSS score varies from organization to organization, and the likelihood of exposure to attack depends on many factors; basing a response strategy on a score should be only part of the equation for defenders.

We should applaud some of the changes to the scoring, including an additional focus on ICS/SCADA/OT. Safety and availability requirements have a massive impact on industrial processes and these considerations must be taken into account when assessing the criticality of a vulnerability. Overall, the addition of new base metrics and values should make scores less subjective, and conveys an understanding of the current criticisms levelled against the current system.