The soon-to-be-released Version 4.0 of the Common Vulnerability Scoring System (CVSS) promises to fix a number of issues with the severity metric for security bugs. But vulnerability experts say that prioritizing patches or measuring exploitability will still be a tough nut to crack.
The Forum of Incident Response and Security Teams (FIRST) released a preview of the next version of the CVSS last week at its annual conference. Version 4 will do away with the vague “temporal” metric, replacing it with the more descriptive “threat” metric and it will add other factors to the base metric calculation. The changes improve the overall usability of CVSS, according to FIRST, which added that companies and organizations can try the metric for grading current vulnerabilities and provide feedback prior to the launch of the general release.