Glossary

CVSS (Common Vulnerability Scoring System)

A standardized system for scoring vulnerability severity from 0 to 10. The CVSS score accounts for exploitation complexity and impact on confidentiality, integrity, and availability. It is used in all professional audit reports.

How to read a CVSS score

The Common Vulnerability Scoring System rates vulnerability severity from 0 to 10 based on objective metrics: attack vector (network, local...), complexity, required privileges, user interaction, and impact on confidentiality, integrity, and availability. The usual ranges: 0.1-3.9 low, 4.0-6.9 medium, 7.0-8.9 high, 9.0-10 critical. The base score is published for each CVE; temporal and environmental scores refine it based on exploit availability and your context.

The limits of CVSS for prioritization

CVSS measures intrinsic technical severity, not your actual risk. A CVSS 9.8 flaw in an unexposed component can be less urgent than a 6.5 on your login portal. For an HR SaaS, good prioritization crosses the score with the component's real exposure, observed exploitability (CISA's KEV catalog, EPSS scores), and the sensitivity of reachable data — a payslip is not worth the same as a public page. That reasoning, more than the raw score, should drive your remediation order.

The CleanIssue approach

In our reports, every finding gets a severity that combines CVSS logic with the real business impact for an HR vendor: which employee data is reachable, from what access level, how easily. The result is a prioritized fix list your team can execute in order, rather than a pile of decontextualized scores.

Frequently asked questions

Does a CVSS of 9 mean immediate danger?

Not necessarily. The base score ignores your context: if the vulnerable component isn't exposed or the affected feature isn't used, the actual risk can be limited. Conversely, a medium-score flaw on a critical exposed endpoint can be an absolute priority.

Which CVSS version should you use?

CVSS v3.1 remains the most widespread reference; v4.0, published in late 2023, refines the metrics (attack requirements, automation). In practice what matters is consistency: use the same version to compare your vulnerabilities, and always complement with real exposure analysis.

What is the difference between CVSS and EPSS?

CVSS estimates severity if the flaw is exploited; EPSS estimates the probability it will be exploited within 30 days, based on observed exploitation data. Crossing both (severity × probability) gives far better prioritization than CVSS alone.

Related Pages

Other Terms

Need an external review of your HR SaaS?

Share your product, stack, and client context. We will come back with the right review scope.

Discuss your audit