| CARVIEW |
- About FIRST
- Mission Statement
- Strategy Framework
- History
- Sustainable Development Goals
- Organization
- FIRST Policies
- Anti-Corruption Policy
- Antitrust Policy
- Bylaws
- Board duties
- Bug Bounty Program
- Code of Conduct
- Conflict of Interest Policy
- Document Record Retention and Destruction Policy
- FIRST Press Policy
- General Event Registration Refund Policy
- Guidelines for Site Selection for all FIRST events
- Identity & Logo Usage
- Mailing List Policy
- Media Policy
- Privacy Policy
- Registration Terms & Conditions
- Services Terms of Use
- Standards Policy
- Statement on Diversity & Inclusion
- Translation Policy
- Travel Policy
- Uniform IPR Policy
- Whistleblower Protection Policy
- Partnerships
- Newsroom
- Procurement
- Jobs
- Contact
- Membership
- Initiatives
- Special Interest Groups (SIGs)
- SIGs Framework
- Academic Security SIG
- AI Security SIG
- Automation SIG
- Cybersecurity Communications SIG
- Common Vulnerability Scoring System (CVSS-SIG)
- CSIRT Framework Development SIG
- Cyber Insurance SIG
- Cyber Threat Intelligence SIG
- Curriculum
- Introduction
- Introduction to CTI as a General topic
- Methods and Methodology
- Priority Intelligence Requirement (PIR)
- Source Evaluation and Information Reliability
- Machine and Human Analysis Techniques (and Intelligence Cycle)
- Threat Modelling
- Training
- Standards
- Glossary
- Communicating Uncertainties in CTI Reporting
- Webinars and Online Training
- Building a CTI program and team
- Curriculum
- Detection Engineering & Threat Hunting SIG
- Digital Safety SIG
- DNS Abuse SIG
- Stakeholder Advice
- Detection
- Cache Poisoning
- Creation of Malicious Subdomains Under Dynamic DNS Providers
- DGA Domains
- DNS As a Vector for DoS
- DNS Beacons - C2 Communication
- DNS Rebinding
- DNS Server Compromise
- DNS Tunneling
- DoS Against the DNS
- Domain Name Compromise
- Dynamic DNS (as obfuscation technique)
- Fast Flux (as obfuscation technique)
- Infiltration and exfiltration via the DNS
- Lame Delegations
- Local Resolver Hijacking
- Malicious registration of (effective) second level domains
- On-path DNS Attack
- Stub Resolver Hijacking
- Detection
- Code of Conduct & Other Policies
- Examples of DNS Abuse
- Stakeholder Advice
- Ethics SIG
- Exploit Prediction Scoring System (EPSS)
- FIRST Multi-Stakeholder Ransomware SIG
- Human Factors in Security SIG
- Industrial Control Systems SIG (ICS-SIG)
- Information Exchange Policy SIG (IEP-SIG)
- Information Sharing SIG
- Law Enforcement SIG
- Malware Analysis SIG
- Metrics SIG
- NETSEC SIG
- Public Policy SIG
- PSIRT SIG
- Red Team SIG
- Security Lounge SIG
- Security Operations Center SIG
- Threat Intel Coalition SIG
- Traffic Light Protocol (TLP-SIG)
- Transportation and Mobility SIG
- Vulnerability Coordination
- Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)
- Women of FIRST
- CCB Initiatives
- FIRST CORE
- Internet Governance
- IR Database
- Fellowship Program
- Mentorship Program
- IR Hall of Fame
- Victim Notification
- Volunteers at FIRST
- Previous Activities
- Special Interest Groups (SIGs)
- Standards & Publications
- Events
- Education
- Blog
Common Vulnerability Scoring System v1 Archive
The CVSS Team have provided a historic record of the first version of CVSS here. These should not be used for scoring or other CVSS related activities and are only of historic interest.
FIRST to host CVSS
[ 14 April 2005 ]
The National Infrastructure Advisory Council (NIAC) has chosen FIRST to be the custodian of the Common Vulnerability Scoring System (CVSS), the emerging standard in vulnerability scoring. This rating system is designed to provide open and universally standard severity ratings of software vulnerabilities. There is a critical need to help organizations appropriately prioritize security vulnerabilities across their constituency. The lack of a common scoring system has security teams worldwide solving the same problems with little or no coordination. FIRST will closely collaborate with CERT/CC and MITRE on this.
The framework is in its first-generation stage - there is a need for active participation within the global IT community during its implementation and testing phase in an effort to gather feedback for future developments and enhancements to increase the scoring system's usability and acceptance. This feedback will initially be provided by a Special Interest Group within FIRST.
The biggest challenge facing any new standard is the universal adoption of the standard. In order to address the inconsistency of scoring metrics for vulnerabilities, FIRST believes that a global approach towards adoption of the new standard is the best strategy. FIRST is uniquely qualified through the international collaboration occurring within the organization on a regular basis to both promote the adoption of CVSS both inside and outside of its membership and to maintain the standard going forward.
Key Factors to Global Adoption
Some of the key factors of gaining global adoption of a Common Vulnerability Scoring System include global visibility, support of IT vendors and community worldwide, and a basic understanding of how the system works. The Internet and its vulnerabilities do not belong to one country, and therefore any technology that is to be adopted globally must have technical merit and the support of an internationally recognized, non-governmental organization. Incident response teams who deal with cyber security on a daily basis are the ideal group to use and advocate this system. The Forum of Incident Response and Security Teams (FIRST), a not-for-profit corporation, is the premier organization and recognized global leader in incident response.
FIRST consists of a global network of computer security incident response teams (CSIRTs) that work together voluntarily to deal with computer security problems and promote incident prevention programs. These teams represent government, law enforcement, commercial, education and other organizations spread over the Americas, Asia, Europe and Oceania. FIRST was the obvious choice and NIAC has officially endorsed our bid for hosting, updates and promotion of CVSS. This aligns well with the primary purpose of the FIRST providing an international forum for participating organizations to work together to share current information & tools, solve common problems, plan future strategies and promote computer security around the world.
As part of our mission, FIRST encourages and promotes the development of quality security products, policies & services and computer security best practices. FIRST is uniquely organized and positioned to offer the best home and support for the Common Vulnerability Scoring System.
Approach
The FIRST Steering Committee has established a Vulnerability Metrics Committee to be chaired by Gavin Reid of Cisco Systems (and co-chaired by Jim Duncan, a CVSS and VDF contributor), with the task of building a working group, evangelizing CVSS and the Vulnerability Disclosure Framework (VDF), soliciting and approving funding for projects to implement or improve CVSS, and building toward a next version. This committee will take on the task of promoting CVSS to the global Internet community through the delivery of presentations, white papers, software tools and face-to-face meetings with a global target audience.
Since the framework is in its first-generation stage, there is a need for active participation within the global IT community during its implementation and testing phase in an effort to gather feedback for future developments and enhancements to increase the scoring system's usability and acceptance. We will volunteer a wide range of participants from FIRST representing the different functional areas that make up the FIRST community (commercial, governmental and educational)
Key Elements of this Proposal
- Promote and educate the information technology community on the benefits of using a common scoring system framework to describe the severity of computer security vulnerabilities replacing vendor-specific severity rating systems
- Foster cooperation among information technology constituents in the effective implementation and testing of the Common Vulnerability Scoring System framework
- Provide a means for the communication of the CVSS Vendor Base and/or Temporal scoring information on published vulnerabilities
- Support the actions and activities of FIRST's CVSS Committee including research, software development and operational activities
- Facilitate the sharing of CVSS-related information, tools, and techniques.
Conclusion
The biggest challenge facing any new standard is the universal adoption of the standard. In order to address the inconsistency of scoring metrics for vulnerabilities, FIRST believes that a global approach towards adoption of the new standard is the best strategy. FIRST is uniquely qualified through the international collaboration occurring within the organization on a regular basis to both promote the adoption of CVSS both inside and outside of its membership and to maintain the standard going forward.
Summary
- CVSS is a process for evaluating vulnerabilities using common approaches by NIAC.
- NIAC has chosen to let FIRST be the organization of managing the long term direction of CVSS.
- Some parties have already successfully implemented CVSS and FIRST will be sharing best practices with members.
- FIRST will create the Vulnerability Metrics Committee to be chaired by Gavin Reid to enrich the document and help push the standard forward.
The CVSS Pioneers
FIRST acknowledges the CVSS pioneers, who wrote the original NIAC/CVSS document:
- Mike Schiffman
Cisco Systems - Gerhard Eschelbeck
Qualys - Dave Ahmad
Symantec - Andrew Wright
Cisco Systems - Sasha Romanosky
Carnegie Mellon University
Participation
To help participate in this growing standard and join the discussions please send a note to the FIRST Secretariat (first-sec
first.org) and ask to be added to the CVSS SIG and its mailing list. We would like as many people as possible to try CVSS out for vulnerability scoring and share their experiences on this mailing list. This list is also a way to send questions, comments and feedback directly to the CVSS team.
- Common Vulnerability Scoring System (CVSS-SIG)
Table of Contents
Chair
- Gavin Reid (Cisco Systems) Mailing list: cvss-sig at first.org