Common Vulnerability Scoring System (CVSS)
Definition
A standardised scoring framework that rates vulnerability severity on a 0-10 scale using base metrics (attack vector, complexity, privileges required, user interaction, impact on confidentiality, integrity, and availability), temporal metrics, and environmental metrics. CVSS scores appear in penetration test reports as a common severity reference.
Related terms
- Attestation letter
- A formal document issued by a qualified assessor, such as a PCI Qualified Security Assessor (QSA) or an ISO 27001 certification body,...
- Red team exercise
- A full-scope adversary simulation in which a team of testers uses the full range of attack techniques (technical, social engineering, and physical)...
- Remediation verification test
- A targeted re-test conducted after an organisation has applied fixes to vulnerabilities identified in the original penetration test. The re-test confirms that...
- Rules of engagement (RoE)
- The written contract or pre-test agreement that defines the authorised scope, permitted techniques, excluded systems, test window, escalation contacts, and emergency stop...
- Scope creep
- The unintended expansion of a penetration test beyond the agreed boundaries, either because testers follow a vulnerability chain into an out-of-scope system...
Explained in
- Penetration Testing Scope and Audit InterfaceA standardised scoring framework that rates vulnerability severity on a 0-10 scale using base metrics (attack vector, complexity, privileges required, user int...