Common Vulnerability Scoring System
An industry-standard 0–10 score that quantifies the severity of a software vulnerability.
Definition
The Common Vulnerability Scoring System (CVSS) is an open, industry-standard framework - currently at version 4.0 (2023) - for assigning a numeric severity score (0.0–10.0) to a software vulnerability. CVSS produces three score types: Base (intrinsic characteristics), Temporal/Threat (how exploitability evolves), and Environmental (impact in a specific deployment). NVD publishes Base scores for every CVE; manufacturers and operators apply Temporal and Environmental adjustments locally.What this means in practice
CVSS is most useful as a starting point for triage. Mature MedTech teams take the NVD Base score, apply Environmental modifiers (is the vulnerable code path reachable in our device? is the affected interface exposed?), and combine the result with clinical-harm severity from ISO 14971 to make patch-priority decisions.- •Patching by Base score alone - high-CVSS vulnerabilities in unreachable code waste cycles; low-CVSS vulnerabilities that bridge networks may be urgent.
- •Ignoring Environmental metrics - they're the whole point of bringing CVSS into a device-specific risk decision.
- •Reporting CVSS scores to operators without your VEX exploitability assessment.
Frequently asked questions
Cross-references
Related terms
Shared paths + categoryA globally unique identifier for a publicly disclosed cybersecurity vulnerability.
A machine-readable statement that explains whether a known vulnerability is actually exploitable in a specific product.
A documented process for receiving, triaging, and responsibly disclosing security vulnerabilities reported by external researchers.
The designed-in ability to deploy security updates to a fielded medical device in a timely, controlled, and verifiable manner.
A lightweight, OWASP-maintained SBOM format designed for application security and supply-chain use cases.
The bundle of cybersecurity artifacts a sponsor includes in a 510(k), De Novo, PMA, or HDE submission for a cyber device.
Latest in MedTech
Primary references
3 sources- 1FIRST CVSS v4.0 SpecificationVerifiedFIRSTfirst.org
- 2NIST NVD CVSS CalculatorVerifiedNISTnvd.nist.gov
- 3CISA SSVCVerifiedCISAcisa.gov
Inline markers like [1] jump to the matching reference above.