Glossary

CVSS Score

Q: What does CVSS Score mean in cybersecurity?

CVSS Score is a security term used to describe part of an organisation's external risk, exposure, or vulnerability management process.

Q: Why does CVSS Score matter for external attack surface monitoring?

It matters because attackers evaluate internet-facing assets continuously, and unmanaged exposure can become an exploitable path into customer data, infrastructure, or business operations.

Q: How does VeilScan help with CVSS Score?

VeilScan discovers public assets, checks them for verified issues, prioritises findings by business impact, and produces reports that explain remediation clearly.

Common Vulnerability Scoring System — 0 to 10 severity rating

Quick Answer: CVSS (Common Vulnerability Scoring System) is an industry-standard framework for rating the severity of software vulnerabilities on a 0–10 numerical scale. CVSS scores are maintained by FIRST (Forum of Incident Response and Security Teams) and used by vulnerability databases (NVD, CVE), security vendors, and enterprise security teams to communicate severity. CVSS rates vulnerabilities in isolation — without accounting for your specific environment, asset criticality, or business context.

What do CVSS score ranges mean?

0.0 — None: no impact
0.1–3.9 — Low: limited impact, difficult to exploit, or requiring extensive prerequisites
4.0–6.9 — Medium: meaningful impact, some prerequisites required, or limited exploitability
7.0–8.9 — High: significant impact with limited prerequisites or easy exploitation
9.0–10.0 — Critical: maximum impact, easy exploitation, no prerequisites required or remote exploitation with high impact

What are CVSS's limitations?

CVSS is designed to score vulnerabilities in the abstract — independent of your specific environment. This creates several practical limitations:

A CVSS 9.8 vulnerability on a non-critical test server may be lower priority than a CVSS 5.0 vulnerability on a customer-facing payment system
CVSS does not account for whether your specific configuration makes the vulnerability exploitable
CVSS does not account for compensating controls (WAFs, IP restrictions, patching) that may make a high-CVSS vulnerability unexploitable in your environment
CVSS does not account for compliance implications or data exposure risk

How is Business Impact Score different from CVSS?

VeilScan's Business Impact Score (BIS) builds on technical severity — similar to CVSS — but layers in asset criticality, data exposure risk, compliance impact, and attack chain context. This makes the BIS more useful for business decision-making and remediation prioritisation than a raw CVSS score alone.

See: What is a Business Impact Score? · Business Impact Score feature · What Is Business Impact Scoring?

What are common questions about CVSS Score?

What does CVSS Score mean in cybersecurity?

CVSS Score describes a security concept that affects how teams understand, monitor, and reduce external exposure across internet-facing assets.

Why does CVSS Score matter for external attack surface monitoring?

It matters because attackers continuously inspect public assets. Tracking this concept helps teams reduce exploitable exposure before it becomes a breach path.

How does VeilScan help with CVSS Score?

VeilScan discovers public assets, validates findings with proof, prioritises issues by business impact, and explains remediation in reports built for engineering and leadership.

What related terms should you read next?

See your vulnerabilities with Business Impact context, not just CVSS scores. VeilScan's free scan includes Business Impact Score preview for one domain. Start your free scan → · Back to glossary