The Common Vulnerability Scoring System remains a cornerstone of cybersecurity, with experts defending it from renewed criticism and arguing that it provides essential metrics for cybersecurity professionals, according to CyberScoop.
Maintained by the Forum of Incident Response and Security Teams and used to assess the severity of software vulnerabilities, CVSS has recently been challenged anew for its complexity, perceived imprecision, and potential misuse. Critics claim CVSS is flawed due to its static nature and reliance on quantitative models that can lead to misinterpretation. Some blame recent issues with the National Vulnerability Database, which suffered funding shortages and backlogs, for amplifying frustrations with CVSS scores. Others argue the problem lies in how organizations and regulators misuse the scores rather than with the system itself. Alternative approaches have been proposed, including the Exploit Prediction Scoring System, which assesses the likelihood of a vulnerability being exploited. However, experts note that EPSS lacks comprehensive coverage and integration into major vulnerability databases. Despite its limitations, CVSS remains widely adopted in government and industry standards, with experts emphasizing that it should be used alongside other risk assessment tools rather than as a standalone solution.