What CVSS does
The Common Vulnerability Scoring System (CVSS) provides a standardised way to communicate the characteristics and severity of software vulnerabilities. It uses a set of metrics, grouped into Base, Temporal, and Environmental scores, to assign a numerical score reflecting the vulnerability’s impact. Version 4.0 introduced changes to better represent cloud environments and supply chain risks, moving beyond the traditional on-premise focus. While v4.0 is the current version, many Australian organisations continue to utilise CVSS v3.1 due to existing tooling and processes.
CVSS in Australian tenants today
Australian organisations, particularly AU mid-market, often use CVSS scores to inform patching SLAs and vulnerability remediation strategies. Alignment with the ACSC Essential Eight prioritises remediation based on vulnerability severity, which is frequently informed by CVSS scores. Furthermore, the OAIC’s Privacy Act 2024 and APRA CPS 234/230 require organisations to implement appropriate security measures, including timely patching of vulnerabilities. Microsoft’s Defender Vulnerability Management combines CVSS scores with a Microsoft Risk Score, incorporating factors like exposure and business context, providing a more tailored risk assessment for AU mid-market environments.