The Common Vulnerability Scoring System (CVSS) version 4.0 [1] [3] [4] [6] [7] [8] [9], announced by the Forum of Incident Response and Security Teams (FIRST), represents a significant advancement in vulnerability assessment. It aims to provide a more accurate and comprehensive evaluation for both industry and the public.


CVSS v4.0 addresses the criticisms received by its predecessor, CVSS v3.1 [1] [2] [3] [4] [6] [8], released in July 2019 [2]. While v3.1 emphasized the need to consider environmental factors and changing attributes, it lacked granularity and failed to adequately represent health [2], human safety [2], and industrial control systems [2] [5]. In response, CVSS v4.0 introduces supplemental metrics [6], such as Safety [4] [6], Automatable [4] [6], Recovery [4] [6] [9], Value Density [4] [6], Vulnerability Response Effort [4] [6], and Provider Urgency [4] [6]. These metrics enhance vulnerability assessment and offer a more precise evaluation.

Additionally, CVSS v4.0 introduces a revised nomenclature for severity ratings [8], emphasizing that the Base score is not the sole basis for assessment. This new nomenclature should be used whenever a numerical CVSS value is displayed or communicated [2] [4] [6]. Furthermore, CVSS v4.0 is applicable to OT/ICS/IoT [8], incorporating Safety metrics and values.

The release of CVSS v4.0 by FIRST follows a two-month public comment period, during which received comments were addressed. The adoption of CVSS v4.0 will help security teams assess and prioritize vulnerabilities more effectively using a standardized framework [1]. This update aims to improve accuracy [1], granularity [1] [2] [8], and applicability across various systems [1], playing a crucial role in fortifying defense against cyber-attacks [5].


The introduction of CVSS v4.0 brings significant improvements to vulnerability assessment, addressing previous limitations and providing a more comprehensive evaluation. By incorporating supplemental metrics and a revised nomenclature, CVSS v4.0 enhances the accuracy and granularity of vulnerability assessment. Its applicability to OT/ICS/IoT systems further strengthens its value. The adoption of CVSS v4.0 by security teams will enable more effective assessment and prioritization of vulnerabilities, ultimately bolstering defense against cyber-attacks. For more information on the changes, please visit the FIRST website.