Product Security Hub Logo
Back to Resources Reference

CVSS Scoring Guide

Product Security Hub uses the Common Vulnerability Scoring System (CVSS) to quantify risk across threats and vulnerabilities. Every threat in our catalog comes pre-scored, and our AI can help you draft justifications for your scoring decisions.

What is CVSS?

The Common Vulnerability Scoring System is the industry standard for assessing the severity of security vulnerabilities.

3.1

CVSS v3.1

Widely adopted standard

The most widely used version today. Scores range from 0.0 to 10.0 and consider attack vector, complexity, privileges required, user interaction, scope, and CIA impact.

Severity Ratings:

None: 0.0 Low: 0.1-3.9 Medium: 4.0-6.9 High: 7.0-8.9 Critical: 9.0-10.0
4.0

CVSS v4.0

Latest version (2023)

The newest version adds more granularity with additional metrics for attack requirements, provider urgency, and safety impact—particularly relevant for medical devices and critical infrastructure.

Key improvements:

  • • Separate metrics for vulnerable vs. subsequent systems
  • • Safety impact considerations
  • • More precise exploitability assessment

Understanding CVSS Metrics

CVSS scores are calculated from multiple factors. Here's what each metric measures.

Exploitability

Attack Vector (AV)

How the attacker reaches the vulnerable component (Network, Adjacent, Local, Physical)

Attack Complexity (AC)

Conditions beyond the attacker's control that must exist (Low, High)

Privileges Required (PR)

Level of access needed before exploitation (None, Low, High)

User Interaction (UI)

Whether a user must take action (None, Required)

Impact

Confidentiality (C)

Impact on data secrecy (None, Low, High)

Integrity (I)

Impact on data trustworthiness (None, Low, High)

Availability (A)

Impact on system accessibility (None, Low, High)

Scope (S)

Whether impact extends beyond the vulnerable component (Unchanged, Changed)

Context Adjustments

Exploit Code Maturity

Availability and sophistication of exploit code

Remediation Level

Availability of fixes or workarounds

Report Confidence

Certainty in the vulnerability details

Modified Base Metrics

Adjustments for your specific environment

How Product Security Hub Uses CVSS

Pre-Scored Threat Catalog

Every threat in Product Security Hub's catalog comes with baseline CVSS v3.1 and v4 scores. These give you a starting point based on typical impact—you can adjust for your specific product context.

Vulnerability CVSS

When you scan SBOMs against Google OSV, vulnerabilities come with their NVD-assigned CVSS scores. During triage, you can adjust these based on your product's specific exposure.

Risk Prioritization

CVSS scores help you prioritize remediation efforts. Focus on Critical and High severity issues first, while tracking Medium and Low issues for planned maintenance cycles.

AI-Assisted CVSS Justifications

One of the most time-consuming parts of risk assessment is documenting why you scored something the way you did. Product Security Hub's AI helps by drafting justification text based on your scoring selections.

1

Select your CVSS values

Choose the appropriate values for each metric based on your product context.

2

AI drafts justification

Based on the threat context and your selections, AI generates explanatory text.

3

Review and approve

Edit the draft as needed, then save. The justification is linked to your score for traceability.

Example AI-Drafted Justification

Threat: Authentication bypass via default credentials

Score: CVSS 9.8 Critical

Justification:

"Attack Vector is Network (AV:N) because the device's web interface is accessible over the network. Attack Complexity is Low (AC:L) as default credentials are publicly documented. No privileges are required (PR:N) since the attacker exploits the default state. User Interaction is None (UI:N)—no user action needed. Scope is Unchanged (S:U) as compromise is limited to the device itself. Impact is High across Confidentiality, Integrity, and Availability (C:H/I:H/A:H) because full administrative access enables complete device control."

This draft can be edited before saving. You're always in control.

CVSS Scoring Best Practices

Tips for consistent, defensible risk scoring across your product portfolio.

Score for your context

Base CVSS scores from NVD assume worst-case scenarios. If your product doesn't expose a vulnerable component to the network, adjust the Attack Vector accordingly.

Document your reasoning

Always capture why you chose each metric value. This is crucial for audits and for future team members who need to understand past decisions.

Be consistent across products

Use the same criteria when scoring similar threats across different products. Product Security Hub's pre-scored catalog helps establish this baseline consistency.

Reassess when context changes

If your product's deployment model changes (e.g., from isolated to networked), revisit your CVSS scores. What was Low risk may now be High.

What's Next?

Apply CVSS scoring in your security workflows:

1

Run Your Threat Model

Use CVSS to score the threats you identify in your architecture

 2

Manage Vulnerabilities

Apply CVSS scoring to vulnerabilities from your SBOM scans

Ready to streamline your risk assessments?

Pre-scored threats, AI-assisted justifications, and complete traceability—all in one platform.

Get Started Request a Demo