New version of Common Vulnerability Scoring System Released at FIRST

Millions of computer users worldwide will enjoy more secure online experiences and transactions with the advent today of CVSS v2 – the latest version of the Common Vulnerability Scoring System. The release of version 2 was announced today by the Forum of Incident Response and Security Teams (FIRST) and the Common Vulnerability Scoring System Special Interest Group (CVSS-SIG).

CVSS provides a universal open and standardized method for rating IT vulnerabilities.

Over a dozen members of the CVSS-SIG collaborated extensively through 2006 and 2007 to revise and improve CVSS v1 by testing and re-testing hundreds of real-world vulnerabilities. CVSS v2 represents the collective feedback and experience of many of the early adopters and security professionals of the CVSS-SIG.

“We feel CVSS v2 addresses many of the early issues of CVSS v1 brought up both by consumers and the SIG. We are excited to announce this new version and are looking forward to using it,” said Gavin Reid, Chair of the CVSS SIG.

“CVSS v2 is a significant improvement over the original version. It reduces inconsistencies, provides additional granularity, and more accurately reflects the wide variety of vulnerabilities.”

“We believe that CVSS v2 demonstrates a new level of maturity in standardized vulnerability scoring,” added Steve Christey, of the MITRE Corporation, who edits Common Vulnerabilities and Exposures (CVE). “We wanted to achieve the best possible balance of accuracy, flexibility and usability.”

Another member of the programme team, Sasha Romanosky of Carnegie Mellon University, said that CVSSv2 “is even better at communicating the true properties of IT vulnerabilities for end-users, and for commercial and non-profit security organizations.”

As a part of the U.S. government’s SCAP (Security Content Automation Protocol) CVSS v2 will be used in standardizing and automating vulnerability management for many millions of computers, eventually rising to hundreds of millions.

CVSS v2 represents the culmination of CVSS-SIG efforts to test, correct, and improve CVSS.

Nevertheless, the CVSS-SIG continues constantly to evaluate the standard by analyzing and scoring old and new vulnerabilities, examining feedback received from CVSS users, and fine-tuning the mathematical equations.

More than 450 delegates from 49 countries – the greatest geographical spread ever – were this week attending the 19th annual FIRST conference in Seville, Spain. The worldwide Forum of Incident Response and Security Teams leads the world's fight-back against cyber-crime, sabotage and terrorism, and consists of the Internet emergency response teams from 180 corporations, government bodies, universities and other institutions across the Americas, Asia, Europe and Oceania.