Should we publish our own CVSS scores?

Yes, when you publish a security advisory for your own product. Vendor-assigned CVSS scores (with Environmental context) are more actionable for operators than NVD's generic Base score.

Is SSVC replacing CVSS?

Not replacing - complementing. CISA's SSVC is a decision-tree triage model that consumes CVSS as one input. Many MedTech teams now report both: CVSS for severity, SSVC for action.

All terms

CybersecurityConnected & Cyber-Physical Devices Software LifecycleCVSS

Common Vulnerability Scoring System

An industry-standard 0–10 score that quantifies the severity of a software vulnerability.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

Definition

The Common Vulnerability Scoring System (CVSS) is an open, industry-standard framework - currently at version 4.0 (2023) - for assigning a numeric severity score (0.0–10.0) to a software vulnerability. CVSS produces three score types: Base (intrinsic characteristics), Temporal/Threat (how exploitability evolves), and Environmental (impact in a specific deployment). NVD publishes Base scores for every CVE; manufacturers and operators apply Temporal and Environmental adjustments locally.

What the regulation says

FDA's 2023 guidance recognizes CVSS as one acceptable severity framework for cybersecurity risk assessment. CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) model is increasingly preferred for triage decisions because it weighs exploitation status and mission impact better than headline CVSS. AAMI TIR57 and the FDA guidance both warn that CVSS alone is insufficient - clinical/safety impact must be added.

What this means in practice

CVSS is most useful as a starting point for triage. Mature MedTech teams take the NVD Base score, apply Environmental modifiers (is the vulnerable code path reachable in our device? is the affected interface exposed?), and combine the result with clinical-harm severity from ISO 14971 to make patch-priority decisions.

Common pitfalls

•Patching by Base score alone - high-CVSS vulnerabilities in unreachable code waste cycles; low-CVSS vulnerabilities that bridge networks may be urgent.
•Ignoring Environmental metrics - they're the whole point of bringing CVSS into a device-specific risk decision.
•Reporting CVSS scores to operators without your VEX exploitability assessment.

Frequently asked questions

v4.0 was released November 2023 and addresses several v3.1 weaknesses (better coverage of OT/IoT, supply-chain effects, safety impact). NVD now publishes both. Use v4.0 for new assessments; legacy v3.1 scores remain valid.

Cross-references

Used by

Things that build on this term.

Common Vulnerabilities and Exposures(CVE)

Primary references

3 sources

Link health: 3 verified· last checked 2026-05-09

FIRST·1NIST·1CISA·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Acronym: CVSS
Sources: 3
Updated: 5/5/2026

Compare with another term

Learn in 60 seconds

An industry-standard 0–10 score that quantifies the severity of a software vulnerability.

·CVSS is most useful as a starting point for triage.
·Mature MedTech teams take the NVD Base score, apply Environmental modifiers (is the vulnerable code path reachable in our device?
·is the affected interface exposed?), and combine the result with clinical-harm severity from ISO 14971 to make patch-priority decisions.

Remember this

Watch out: Patching by Base score alone - high-CVSS vulnerabilities in unreachable code waste cycles; low-CVSS vulnerabilities that bridge networks may be urgent.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.