CVSS Scoring

CVSS stands for The Common Vulnerability Scoring System and is an industry open standard designed to convey vulnerability severity and risk. CVSS was commissioned by the National Infrastructure Advisory Council (NIAC) tasked in support of the global Vulnerability Disclosure Framework. It is currently maintained by FIRST (Forum of Incident Response and Security Teams).

Where can I learn more about CVSS standards?

The service supports CVSS Version 2 and CVSS Version 3.

For general CVSS standards information, visit the FIRST CVSS Home page at:

For specific information on the CVSS standards read here:

How do I enable CVSS Scoring?

Managers enable the CVSS Scoring feature for the subscription on the CVSS Setup page (Reports > Setup > CVSS). Note that CVSS Scoring is not enabled by default in a new subscription.

Once enabled, where can I see CVSS scores?

You'll see CVSS v2 and CVSS v3 scores along with the vector strings for vulnerabilities and potential vulnerabilities throughout the UI and in your reports. We do not display CVSS scores for information gathered. CVSS Base and Temporal scores are displayed in scan reports that include vulnerability details. CVSS vector string is displayed in CSV format for scan report. CVSS scores are included in template-based scan reports with host-based and scan-based findings. CVSS v2 and CVSS v3 scores along with the vector strings are also displayed in the PCI scan report.

Learn more about CVSS vector strings

Tell me about CVSS scoring metrics

These values are needed to calculate the CVSS score for a vulnerability: Base Score, Temporal Score and Environmental metrics. The Base and Temporal scores are provided by our security service. Environmental metrics are user-defined and assigned to asset groups.

Diagram showing CVSS metrics for calculating Final CVSS score


Tell me about service-provided values

Tell me about user-provided environmental metrics

How is the score calculated when a QID has multiple CVE IDs associated with it?

When this is the case, we use the highest CVE score value.