A New Vulnerability Scoring Standard: Evaluating the Transition to CVSS v4.0
Category: Research Poster
Author(s): Diana Goloshubina
Presenter(s): Diana Goloshubina
Mentors(s): Viktoria Koscinski
The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing, ranking, and prioritizing the severity of software vulnerabilities. It helps organizations identify which threats to prioritize by ranking them on a scale from 0 to 10. CVSS version 3.1, while currently being the most widely adopted version, has received various critiques, such as a tendency toward ranking most vulnerabilities as “High” or “Critical” (a score of 7.0+), a lack of representation for contextual information such as exploit status, and ambiguity which leads to scoring inconsistencies. CVSS version 4.0, released in 2023, seeks to address these gaps by introducing refined metrics groups and modified scoring logic to enhance consistency. This study conducts a large-scale empirical analysis of CVSS v3.1 and v4.0 by applying both frameworks to thousands of vulnerabilities within the National Vulnerability Database (NVD). We aim to quantify the scoring shift between versions for the same vulnerabilities and to evaluate whether v4.0 provides a more granular and accurate distribution of risk that better correlates with real-world exploitability.