FIRST Announces CVSS v4.0 release

In a previous blog post, we highlighted the announcement of the Common Vulnerability Scoring System version 4.0 (CVSS v4.0) public comment period, which closed on September 30, 2023. In the time since, the CVSS Special Interest Group (SIG) has been hard at work addressing and responding to each comment, finalizing documentation and code and putting some final touches in place.

As a member of the CVSS SIG and an avid consumer of the CVSS standards, Red Hat is happy to highlight FIRST’s official release of the version 4.0 standard. As of November 1st, 2023, CVSS v4.0 is available for all to use and consume, and various companies (including Red Hat) are working to roll out official support of the v4.0 standard.

If CVSS v4.0 is of interest to you or your organization, we recommend reviewing FIRST’s CVSS v4.0 landing page, which highlights the primary differences between v3.1 and v4.0. Additional technical information can also be found in a FIRST authored presentation, which describes the changes and additions in more detail. With this new release, a Specification Document, User Guide and FAQ page have been created to help with the understanding and adoption of the new standard. Finally, FIRST provides a self-paced, no-cost CVSS training course that does not require a user account.

All of the CVSS v4.0 information linked in this blog post can also be found by visiting FIRST’s CVSS home page.

Any questions or feedback about the new standard can be submitted to cvss@first.org.

Additional resources:

• FIRST’s website
• Red Hat’s Severity Ratings (and description of CVSS)