FIRST, the Forum of Incident Response and Security Teams has recently unveiled the latest version of their Common Vulnerability Scoring System (CVSS). This is a major update from V3 and the first in over 4 years. CVSS Ratings Gets the Red, Amber Green Treatment

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of four metric groups:

  • Base: intrinsic qualities of the reported vulnerability
  • Threat: metrics that relate to change of the threat over time
  • Environmental: relates to the target user’s system environment.
  • Supplemental: metrics which provide additional insight into the threat and are used to modify the environmental and Threat metrics.

When we talk of a security vulnerability being 9.9 out ten, this what we are referring to.

As side from numerous minor revisions, one of the major additions to this latest version of the CVSS vulnerability reporting system is the traffic light protocol (TLP). The Traffic Light Protocol (TLP) was created to facilitate greater sharing of sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP has a set of four labels used to indicate the sharing boundaries to be applied by the recipients:

  • TLP:RED = For the eyes and ears of individual recipients only, no further disclosure.
  • TLP:AMBER = Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients.
  • TLP:AMBER+STRICT restricts sharing to the organization only.
  • TLP:GREEN = Limited disclosure, recipients can spread this within their community.
  • TLP:CLEAR  = Recipients can spread this to the world, there is no limit on disclosure.

We at Readiness focused on communicating risk, threats, and prescriptive next steps for the past four years. It’s great to see how vulnerability reporting is maturing – especially with Red, Amber, Green glasses on. 🙂

To find out more about these latest changes and the CVSS reporting system in general:

Greg Lambert