IT Vulnerability Scoring Systems

This post features scoring systems for IT vulnerabilities.

List of Vulnerability Scoring Systems

These are the resources for vulnerability scoring systems:

  • CVSS
  • EPSS

The most popular is CVSS.


Common Vulnerability Scoring System (CVSS) is an open standard that provides an open framework for assessing the characteristics and severity of IT vulnerabilities and communicating them.

The organization Forum of Incident Response and Security Teams (FIRST) is the custodian to develop further versions of CVSS.

There are different versions of CVSS. As of 2024, the latest version is CVSS v4.0, released on November 2023. You can read the specification on this external link.

Examples of websites using CVSS:

  • CVE
  • Microsoft Security Response Center (MSRC)

CVSS official website at FIRST

CVSS website at NIST


Exploit Prediction Scoring System (EPSS) measures the likelihood of an incident.

EPSS official website at FIRST


Damage, Reproducibility, Exploitability, Affected Users, Discoverability (DREAD) is a qualitative risk assessment model that assigns scores to vulnerabilities based on these five factors. It provides a simple way to evaluate and prioritize vulnerabilities.

It was formerly used by Microsoft.

You might also be interested in…

Leave a Reply

Your email address will not be published. Required fields are marked *