The Common Vulnerability Scoring System (CVSS) version 4.0       , announced by the Forum of Incident Response and Security Teams (FIRST), represents a significant advancement in vulnerability assessment. It aims to provide a more accurate and comprehensive evaluation for both industry and the public.
CVSS v4.0 addresses the criticisms received by its predecessor, CVSS v3.1      , released in July 2019 . While v3.1 emphasized the need to consider environmental factors and changing attributes, it lacked granularity and failed to adequately represent health , human safety , and industrial control systems  . In response, CVSS v4.0 introduces supplemental metrics , such as Safety  , Automatable  , Recovery   , Value Density  , Vulnerability Response Effort  , and Provider Urgency  . These metrics enhance vulnerability assessment and offer a more precise evaluation.
Additionally, CVSS v4.0 introduces a revised nomenclature for severity ratings , emphasizing that the Base score is not the sole basis for assessment. This new nomenclature should be used whenever a numerical CVSS value is displayed or communicated   . Furthermore, CVSS v4.0 is applicable to OT/ICS/IoT , incorporating Safety metrics and values.
The release of CVSS v4.0 by FIRST follows a two-month public comment period, during which received comments were addressed. The adoption of CVSS v4.0 will help security teams assess and prioritize vulnerabilities more effectively using a standardized framework . This update aims to improve accuracy , granularity   , and applicability across various systems , playing a crucial role in fortifying defense against cyber-attacks .
The introduction of CVSS v4.0 brings significant improvements to vulnerability assessment, addressing previous limitations and providing a more comprehensive evaluation. By incorporating supplemental metrics and a revised nomenclature, CVSS v4.0 enhances the accuracy and granularity of vulnerability assessment. Its applicability to OT/ICS/IoT systems further strengthens its value. The adoption of CVSS v4.0 by security teams will enable more effective assessment and prioritization of vulnerabilities, ultimately bolstering defense against cyber-attacks. For more information on the changes, please visit the FIRST website.