CVE Rating

What is a CVE?

The CVE definition is twofold. It stands for Common Vulnerabilities and Exposures, a list of publicly disclosed risks and vulnerabilities in software and systems. But CVE can also be used to reference a vulnerability that has been documented and assigned a number within the CVE list.

What is a CVE rating?

A CVE rating is a score between 1-10 that measures the severity of a vulnerability – how catastrophic the damage would be if a threat actor exploited a given vulnerability. CVE ratings are created based on standards in the Common Vulnerability Scoring System (CVSS), and are also referred to as CVSS scores.

What is the highest CVE rating?

CVE ratings, or CVSS scores, range from 1 to 10, with 10 indicating the most severe vulnerabilities. CVE ratings may also include temporal and environmental scores that reveal how available mitigations are for vulnerabilities and how widespread vulnerable systems are within an organization.

A CVSS score quantifies the severity of a vulnerability, guiding security teams in prioritizing patches and mitigations. The score falls into predefined ranges:

  • 0.0 – None
  • 0.1 – 3.9 – Low
  • 4.0 – 6.9 – Medium
  • 7.0 – 8.9 – High
  • 9.0 – 10.0 – Critical

How CVE Ratings are Determined

The common vulnerability scoring system is based on several metrics. It begins with the severity of the vulnerability – in other words, how costly an attack that exploits the vulnerability would be in terms of impact on the organization and on the integrity and availability of systems. CVE ratings, or CVSS scores, also consider how easy it is for attackers to exploit the vulnerability and how easy a vulnerability is to remediate.

While these metrics are a good starting point for understanding the risk, CVSS scores are limited in three important ways: 

  1. No real-time insight. There’s often a lag – sometimes as long as days or weeks – between the discovery of a vulnerability and until a CVSS rating is assigned. This leaves security teams in the dark as to how to prioritize a recently discovered vulnerability.
  2. Static scoring. Even though the level of risk changes over time as vulnerabilities are used with greater or lesser frequency, CVSS ratings rarely change. As a result, scores may not accurately reflect how prevalent certain vulnerabilities are in cyberattacks, or how easily they can be remediated after a period of time.
  3. No recognition of probability. The common vulnerability scoring system framework offers no insight into the intent of threat actors or the availability of an actual means to exploit the vulnerability in question, so scores do not reflect how likely a vulnerability is to be used in the near future.

What's the difference between CVE and CVSS?

CVE stands for Common Vulnerabilities and Exposures, a list of known vulnerabilities in software and systems. CVSS is the Common Vulnerability Scoring System, an open framework for determining the severity of vulnerabilities on the CVE list.

The flaws in the traditional CVE rating system

CVE, or Common Vulnerabilities and Exposures, is a list of publicly disclosed flaws in software and systems that hackers can exploit. CVE ratings are determined by the Common Vulnerability Scoring System (CVSS), which assigns a CVE rating or score between 1 (low) and 10 (high) based on the severity of particular vulnerability. Because the number of new vulnerabilities outpaces the resources of IT teams to patch them, CVE ratings are intended to help identify the vulnerabilities that pose the greatest risk, allowing security teams to address them first.

However, CVE ratings (or CVSS scores), are flawed in three serious ways that prevent security teams from getting an accurate read on which vulnerabilities represent the greatest risk.

A rating lag

While some vulnerabilities receive a CVE rating quickly, others may not be scored for weeks. This prevents security teams from having a complete picture of the risks posed by vulnerabilities.

A static score

Once a CVSS score is assigned, it rarely changes, even when vulnerabilities that were once seldom used become highly popular with attackers.

No recognition of intent

This is the most significant flaw in the traditional CVSS and CVE rating system. Traditional CVE ratings don’t evaluate the probability that threat actors will exploit a given vulnerability. They don’t take into account the way that cyber criminals are talking about vulnerabilities, how often they’re buying and selling tools to exploit them, or the volume of information that’s currently being shared about how to use them in attacks.

As a result of these flaws, traditional CVE ratings can’t provide security teams with the insights they need to make accurate decisions about vulnerability management. That’s where Bitsight DVE Intelligence can transform assessment and prioritization efforts.

Intelligence beyond a CVE rating

As the exploitation of vulnerabilities has become the dominant cyberattack vector, security teams are looking to CVE ratings to help determine which vulnerabilities to fix first. There are simply too many new vulnerabilities discovered each year – including more than 18,000 in 2021 – for security teams to patch or remediate every vulnerability. CVE ratings theoretically should help teams decide which vulnerabilities to patch first, based on the severity of an exploited vulnerability’s potential impact on the organization.

But the CVE ratings measure only the potential damage of a vulnerability exploitation, not the likelihood that threat actors will deploy it. Consequently, security teams may urgently apply patches to high-severity vulnerabilities that are unlikely to represent a threat, while postponing patches to less severe vulnerabilities that may very well be used in attacks tomorrow.

Bitsight threat intelligence offers a better way to manage vulnerability assessment. Our DVE Intelligence solution produces a CVE rating based on the predictability of a vulnerability being exploited in the near future, allowing security teams to make smarter decisions about vulnerability prioritization.

Why dark web monitoring is critical to CVE ratings

DVE Intelligence monitors the dark web for one very important reason: it’s the go to channel for threat actors looking to communicate, collaborate, and buy or sell the data and tools they’ll use in their next attack. As a result, it’s common for evidence of planned cybercrimes to appear on the dark web long before they can be found with conventional cyber threat intelligence tools.

To produce CVE ratings based on the probability of an attack, Bitsight covertly extracts data from dark web sources such as limited-access dark web forms, invite-only messaging groups, code repositories, paste sites, and illicit underground markets. Our collection and source-infiltration tools are fully automated, and they can scrape data that’s inaccessible to other vendors. Powerful NLP and OCR algorithms process data in all languages and formats. And advanced AI and ML algorithms index, correlate, analyze, tag and filter raw data to enrich each item with context about the nature, source and evolution of each threat.

DVE Intelligence also maintains more than 7 million threat actor profiles that detail the history, arenas of activity, common TTPs, and interests of each individual or group. Our methods of collecting and processing intelligence are highly scalable, allowing us to digest tens of millions of intelligence items per day to ensure that our data is accurate and relevant.

Protecting from threats with cyber threat intelligence

To improve the effectiveness of their patching cadences, cybersecurity teams need real-time insight into risk throughout the lifecycle of a vulnerability. Bitsight delivers real-time threat intelligence from the dark web to help organizations stay ahead of cyber threats. With access to over 1,000 underground forums and marketplaces, it collects and analyzes more than 7 million intelligence items daily. Tracking 700+ APT groups, 4,000+ malware types, and 95 million threat actors, it provides security teams with rapid, context-rich insights. By enriching data with context, Bitsight enables proactive threat detection and mitigation within minutes of collection.

Bitsight’s cyber threat intelligence solution helps protect your supply chain from threats through:

  • Generative AI: Aimed at simplifying complex threat data, and drawing from comprehensive collection of real-time threat intelligence, IQ delivers AI-generated analysis, high-quality finished reporting and 24/7 assistance.
  • Vulnerability intelligence: Dynamic Vulnerability Exploit (DVE) Intelligence is an end-to-end solution that spans the entire CVE lifecycle, streamlining vulnerability analysis, prioritization, management and remediation.
  • Identity intelligence: Discover and manage compromised identity credentials–typically originating from Malware stealer logs–and set prioritization preferences to better safeguard priority assets and proactively remediate threats as they surface. 
  • Attack surface intelligence: Continuously identify, classify, and monitor unknown networked assets to mitigate organizational risk. Leverage real-time asset discovery and context-rich threat intelligence across the deep, dark, and clear web for early threat detection.
  • Ransomware & malware intelligence: Gain comprehensive, real-time ransomware threat intelligence from OSINT and the clear, deep, and dark web, including insights into ransomware groups’ activities, TTPs, vulnerabilities, targeted sectors, and remediation strategies.
  • Brand & phishing intelligence: Detect real-time mentions of your brand across the cybercriminal underground. Receive early alerts regarding threat actor activity and discussions related to your company assets, products, management and credentials. 
  • Threat Intelligence Services (DRPS): Elite Intelligence Services are tailored to meet the needs of your organization, delivering the insight you need to take action and reduce your threat exposure.