CVSS Implementation Guidance

This Interagency Report provides guidance to individuals scoring IT vulnerabilities using the Common Vulnerability Scoring System (CVSS) Version 2.0 scoring metrics. The guidance in this document is the result of applying the CVSS specification to score over 50,000 vulnerabilities analyzed by the National Vulnerability Database (NVD). An overview of the CVSS base metrics is first presented followed by guidance for difficult and/or unique scoring situations. To assist vulnerability analysts, common keywords and phrases are identified and accompanied by suggested scores for particular types of software vulnerabilities. The report includes a collection of scored IT vulnerabilities from the NVD, alongside a justification for the provided score. Finally, this report contains a description of the NVD’s vulnerability scoring process.