New vulnerability rating system

The plan for the system, called Common Vulnerability Scoring System (CVSS), was unveiled at a recent RSA conference. If widely adopted, it can provide a common language for describing the seriousness of computer security vulnerabilities and replace vendor-specific rating systems.

The new scoring system is part of a project by the National Infrastructure Advisory Council to create a global framework for disclosing information about security vulnerabilities. Representatives from the government and IT companies such as Cisco, Microsoft and Symantec, amongst others contributed to the CVSS proposal.

CVSS will use standard mathematical equations to calculate the severity of fresh vulnerabilities based upon basic information such as whether vulnerability can be remotely exploited or whether an attacker must log on to a vulnerable system to exploit a security hole. CVSS ratings will also consider timing issues such as whether an exploit or a software patch for a specific vulnerability is available, and for how long it has been available.

IT security vendors will use CVSS in their products to evaluate and prioritise software vulnerabilities. Vendors will also be asked to provide ways for customers to enter information about their IT environment such as the number and type of systems affected before calculating a final CVSS rating.