CVSS stands for The Common Vulnerability Scoring System and is an industry open standard designed to convey vulnerability severity and risk. CVSS was commissioned by the National Infrastructure Advisory Council (NIAC) tasked in support of the global Vulnerability Disclosure Framework. It is currently maintained by FIRST (Forum of Incident Response and Security Teams).
The service supports CVSS Version 2.
For general CVSS standards information, visit the FIRST CVSS Home page at:
http://www.first.org/cvss/
For information on the CVSS Version 2 standards, read the CVSS Version 2 standards specification guide at:
http://www.first.org/cvss/cvss-guide.html
CVSS scores are displayed for vulnerabilities and potential vulnerabilities in many places throughout the application when the CVSS Scoring feature is enabled in your account. The service does not display CVSS scores for information gathered. When CVSS Scoring is enabled, CVSS Base and Temporal scores are displayed in scan reports and compliance reports that include vulnerability details, as well as in online views of hosts, tickets and vulnerabilities. Also, CVSS scores are calculated and displayed in Auto scan reports.
Managers can enable the CVSS Scoring feature for the subscription by selecting the Enable CVSS Scoring option on the CVSS Setup page (Setup > CVSS). Note that CVSS Scoring is not enabled by default in a new subscription.
For each vulnerability and potential vulnerability, the service displays the CVSS Base score from NIST whenever available and the CVSS Temporal score, as provided by the service. The service looks up the latest NIST score for each vulnerability, as published in the National Vulnerability Database (NVD), when presenting vulnerability details to users. In a case where NIST lists the CVSS Base score of 0 or does not provide a score for a vulnerability in the NVD, the service determines whether the severity of the vulnerability warrants a higher CVSS Base score. If so, a service generated score is displayed with the footnote [1] to indicate a service generated score.
The CVSS score for each vulnerability is calculated following the formula specified in the CVSS Version 2 standards. We refer to this as the CVSS final score. Final CVSS scores are displayed in Auto scan reports only when asset groups are included in the report target.
The CVSS Environmental Metrics influence the final CVSS score for a vulnerability. Users set values for the environmental metrics in the asset groups defined in their account.
The following values are needed to calculate the CVSS score for a vulnerability: Base Score, Temporal Score and Environmental metrics. The Base and Temporal scores are provided by the service and assigned to vulnerabilities. These scores are viewable in vulnerability details. Environmental metrics are user-defined and assigned to asset groups.
CVSS Base Score. The Base score measures the fundamental, unchanging qualities of a vulnerability. The Base score is modified by the CVSS Temporal Score and Environmental metrics when the final CVSS score is calculated.
CVSS Temporal Score. The Temporal score measures time dependent qualities of a vulnerability, which may change over time. The Temporal score allows for mitigating factors to reduce the overall CVSS score for a vulnerability.
CVSS Access Vector. The Access Vector is part of the CVSS Base metric group and reflects the level of access required to exploit a vulnerability. CVSS Access Vector values are Local Access, Adjacent Network and Network. See CVSS Access Vector for a description of each value. Note that CVSS Access Vector only appears on the Vulnerability Information page. To see this page, click 
for any vulnerability in the KnowledgeBase.
The CVSS Environmental Metric group captures the characteristics of a vulnerability that are associated with the user's IT environment. Users set metric values to asset groups when editing asset groups (see Editing Asset Groups for information). The metric values defined for an asset group apply to all hosts in the asset group.
Collateral Damage Potential. This environmental metric represents the possibility for loss in physical equipment and property damage.
Target Distribution. This environmental metric represents the relative size of the field of the target systems susceptible to the vulnerability.
The following Security Requirements metrics enable users to customize the final CVSS score, depending on the importance of the affected host to the user's organization.
Confidentiality Requirement. This environmental metric represents the impact that loss of confidentiality has on the organization or individuals associated with the organization (for example employees, customers).
Integrity Requirement. This environmental metric represents the impact that loss of integrity has on the organization or individuals associated with the organization (for example employees, customers).
Availability Requirement. This environmental metric represents the impact that loss of availability has on the organization or individuals associated with the organization (for example employees, customers).