Understanding CVSS 4.0 and the Future of Vulnerability Scoring
The Common Vulnerability Scoring System (CVSS) has been the industry’s go-to framework for assessing vulnerability severity for nearly two decades. It provides a standardized way to measure and communicate the technical impact of a vulnerability. As threat landscapes evolve and organizations mature in their vulnerability management practices, questions about its relevance and limitations persist.
That even led to our co-founder, Scott Kuffer, writing a defense of the algorithm earlier this year.
In late 2023, FIRST.org officially released CVSS 4.0, introducing a new structure and refinements that aim to make the system more precise, flexible, and context-aware. To explore what’s new, what’s working, and what the future might hold, I sat down with Adam Dudley, Nucleus Security’s VP of Strategy and Alliances, for an updated discussion following his earlier deep dive into CVSS 3.1.
You can watch the full conversation below.
What’s New in CVSS 4.0
Adam made it a point to call CVSS 4.0 “an improvement ... but only if you use it as intended.” The update introduces several important enhancements over version 3.1, including:
- The Threat Metrics Group. Replacing the old temporal metrics, this group captures real-world exploitability factors more effectively.
- A Supplemental Metric Group. Offering options for organizations to include additional context such as safety, impact disclosures, and OT/ICS relevance.
- Finer Base Metric Granularity. Allowing more precise definitions for vulnerability attributes and impact levels.
Together, these changes help practitioners produce a more accurate reflection of a vulnerability’s risk in operational environments. Adam cautioned, however, that the improvements are only as strong as their implementation: “The algorithm isn’t the problem. It’s how people use it.” Many teams, he notes, still rely solely on the base score, missing out on the additional insight available through the threat and environmental components.
The Evolving Role of CVSS in Vulnerability Management
Despite its longevity, CVSS remains central to vulnerability management across most organizations and continues to play a central role in the Nucleus platform. It's worth noting that there’s a clear shift among enterprise security teams: they’re no longer using CVSS in isolation.
“Security leaders keep coming back to one word — context,” Adam said. “They want more of it to make faster, smarter risk decisions.” Today, leading teams are combining CVSS with:
- Asset criticality and ownership data
- Live exploit intelligence
- Business context and exposure information
This blended approach gives a more realistic picture of what truly matters in an environment, what needs to be remediated first, and what can wait. CVSS 4.0 supports this shift by making it easier to integrate external intelligence and internal business context directly into scoring workflows.
The Challenges: Data Quality and Adoption
For all its structure and standardization, CVSS still struggles with a familiar problem: garbage in, garbage out. As Adam put it, “If practitioners aren’t providing consistent, normalized, and enriched data, they’re missing critical signals.” That limitation isn’t a shortcoming of the system itself. It's a data problem.
He also pointed out that automation plays an essential role in solving this. Many of the most impactful benefits of CVSS 4.0 come to life only when it’s paired with automated workflows that enrich and standardize data before scoring.
The other hurdle? Change resistance. Organizations tend to be slow to adopt new versions of standardized frameworks, especially those as entrenched as CVSS. Adam expects it will take time for 4.0 to fully replace 3.1 across the industry, despite the fact that it’s been nearly two years since its initial release.
Looking Ahead: AI, Transparency, and the Future of Scoring
When asked about what’s next for vulnerability scoring systems, Adam didn’t hesitate to mention AI. He didn’t refer to it as a replacement, but rather as an enhancer. He sees a near future where AI augments scoring algorithms by improving data quality, consistency, and contextual accuracy, helping practitioners make better decisions faster.
Still, he cautioned against black-box risk scoring models that obscure how scores are derived. Transparency remains key. “If people are using black-box algorithms to determine severity and score risk,” he asked, “how do they know what’s going in — and whether those inputs are high quality?”
Ultimately, CVSS isn’t going anywhere soon. It will continue to serve as a common language for severity across tools and teams, but increasingly as part of a broader, more context-rich ecosystem that incorporates business impact, exploitability, and environmental intelligence.
Related Reading
For a deeper dive into how CVSS has evolved and how it fits into modern vulnerability management practices, explore these related Nucleus articles:
See Nucleus in Action
Discover how unified, risk-based automation can transform your vulnerability management.
