The Forum of Incident Response and Security Teams (FIRST) on Monday pushed out a refresh of its CVSS vulnerability scoring standard as part of an attempt to provide more data and remove ambiguities in rating the severity of downstream issues.

The updated standard, used by organizations to rate the severity of known software flaws, offers finer granularity in base metrics for consumers, removes downstream scoring ambiguity and simplifies threat metrics, FIRST said.

The non-profit collective, which includes more than 650 organizations from more than 100 countries, said several supplemental metrics for vulnerability assessment were added to flag bugs that may be Automatable (wormable), Recovery (resilience), Value Density, Vulnerability Response Effort and Provider Urgency. 

“A key enhancement to CVSS v4.0 is also the additional applicability to OT/ICS/IoT, with Safety metrics and values added to both the Supplemental and Environmental metric groups,” the group said.

The CVSS standard provides a way to capture the principal characteristics of a security vulnerability and produces a numerical score reflecting [a vulnerability’s] technical severity to inform and provide guidance to businesses, service providers, government, and the public.

The numerical score can be represented as a qualitative severity rating (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes and prepare defenses against cyber-attacks.

“This latest release marks a significant step forward with added capabilities crucial for teams with the importance of using threat intelligence and environmental metrics for accurate scoring at its core,” the group said.

Related: CVSS Scores Often Misleading for ICS Vulnerabilities

Related: FIRST Announces CVSS Version 3.1

Related: TLP 2.0 Brings Wording Improvements, Label Changes