New vulnerability rating system
plan for the system, called Common Vulnerability Scoring System (CVSS), was
unveiled at a recent RSA conference. If widely adopted, it can provide a common
language for describing the seriousness of computer security vulnerabilities
and replace vendor-specific rating systems.
The new scoring system is part of a project by the National Infrastructure Advisory
Council to create a global framework for disclosing information about security
vulnerabilities. Representatives from the government and IT companies such as
Cisco, Microsoft and Symantec, amongst others contributed to the CVSS proposal.
CVSS will use standard mathematical equations to calculate the severity of fresh
vulnerabilities based upon basic information such as whether vulnerability can
be remotely exploited or whether an attacker must log on to a vulnerable system
to exploit a security hole. CVSS ratings will also consider timing issues such
as whether an exploit or a software patch for a specific vulnerability is available,
and for how long it has been available.
IT security vendors will use CVSS in their products to evaluate and prioritise
software vulnerabilities. Vendors will also be asked to provide ways for customers
to enter information about their IT environment such as the number and type
of systems affected before calculating a final CVSS rating.