A qualitative ranking of severity for vulnerabilities was developed and established by the NIST—National Vulnerability Database— in two versions:
CVSS v2.0 ratings:
Severity |
Base score range |
Low |
0.0-3.9 |
Medium |
4.0-6.9 |
High |
7.0-10.0 |
CVSS v3.0 ratings:
Severity |
Base score range |
None |
0.0 |
Low |
0.1-3.9 |
Medium |
4.0-6.9 |
High |
7.0-8.9 |
Critical |
9.0-10.0 |
NVD does not account for temporal or environmental vectors as they change from organization to organization. However, you can use their calculators to help you find these numbers out:
- Common Vulnerability Scoring System Calculator Version 2: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator
- Common Vulnerability Scoring System Calculator Version 3: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator