CVSS v4 Assessment With SSVC
CVSS v4 introduces an updated scoring system that includes several metric groupings referred to as Equivalence Sets. In SSVC, we can model these individual equivalence sets as decision tables that can be used by analysts to assess each equivalence set value based on its component metrics (which we have mapped into SSVC decision points).
An Analyst can use these decision tables to assess the CVSS v4 equivalence set values based either on their own assessments or by using a CVSS v4 vector published by another source.
I thought SSVC and CVSS were different?
SSVC and CVSS are indeed different, but they can be used together. We do not see SSVC as a replacement for CVSS, but rather as a complementary decision-making framework that can help stakeholders make a variety of vulnerability response decisions. In fact, we're very interested in using CVSS vector elements as inputs to SSVC decision tables to help stakeholders make more informed prioritization decisions that leverage the community's understanding of a vulnerability's characteristics and impact assessments. In the future, we hope to see more SSVC decision tables that are directly informed by CVSS vectors, allowing analysts to use SSVC to create a broader set of decision models that incorporate CVSS vector elements as inputs.
CVSS v4 Equivalence Sets
Here we provide the decision points for each of the CVSS v4 equivalence sets.
Equivalence Set 1 (cvss:EQ1:1.0.0)
AV/PR/UI with 3 levels specified in Table 24
| Value | Definition |
|---|---|
| Low (L) | 2: AV:P or not(AV:N or PR:N or UI:N) |
| Medium (M) | 1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P |
| High (H) | 0: AV:N and PR:N and UI:N |
Equivalence Set 1 (cvss:EQ1:1.0.0) JSON Example
{
"namespace": "cvss",
"key": "EQ1",
"version": "1.0.0",
"name": "Equivalence Set 1",
"description": "AV/PR/UI with 3 levels specified in Table 24",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
"description": "2: AV:P or not(AV:N or PR:N or UI:N)"
},
{
"key": "M",
"name": "Medium",
"description": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
},
{
"key": "H",
"name": "High",
"description": "0: AV:N and PR:N and UI:N"
}
]
}
Equivalence Set 2 (cvss:EQ2:1.0.0)
AC/AT with 2 levels specified in Table 25
| Value | Definition |
|---|---|
| Low (L) | 1: not (AC:L and AT:N) |
| High (H) | 0: AC:L and AT:N |
Equivalence Set 2 (cvss:EQ2:1.0.0) JSON Example
{
"namespace": "cvss",
"key": "EQ2",
"version": "1.0.0",
"name": "Equivalence Set 2",
"description": "AC/AT with 2 levels specified in Table 25",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
"description": "1: not (AC:L and AT:N)"
},
{
"key": "H",
"name": "High",
"description": "0: AC:L and AT:N"
}
]
}
Equivalence Set 3 (cvss:EQ3:1.0.0)
VC/VI/VA with 3 levels specified in Table 26
| Value | Definition |
|---|---|
| Low (L) | 2: not (VC:H or VI:H or VA:H) |
| Medium (M) | 1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H) |
| High (H) | 0: VC:H and VI:H |
Equivalence Set 3 (cvss:EQ3:1.0.0) JSON Example
{
"namespace": "cvss",
"key": "EQ3",
"version": "1.0.0",
"name": "Equivalence Set 3",
"description": "VC/VI/VA with 3 levels specified in Table 26",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
"description": "2: not (VC:H or VI:H or VA:H)"
},
{
"key": "M",
"name": "Medium",
"description": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
},
{
"key": "H",
"name": "High",
"description": "0: VC:H and VI:H"
}
]
}
Equivalence Set 4 (cvss:EQ4:1.0.0)
SC/SI/SA with 3 levels specified in Table 27
| Value | Definition |
|---|---|
| Low (L) | 2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H) |
| Medium (M) | 1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H) |
| High (H) | 0: MSI:S or MSA:S |
Equivalence Set 4 (cvss:EQ4:1.0.0) JSON Example
{
"namespace": "cvss",
"key": "EQ4",
"version": "1.0.0",
"name": "Equivalence Set 4",
"description": "SC/SI/SA with 3 levels specified in Table 27",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
"description": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
},
{
"key": "M",
"name": "Medium",
"description": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
},
{
"key": "H",
"name": "High",
"description": "0: MSI:S or MSA:S"
}
]
}
Equivalence Set 5 (cvss:EQ5:1.0.0)
E with 3 levels specified in Table 28
| Value | Definition |
|---|---|
| Low (L) | 2: E:U |
| Medium (M) | 1: E:P |
| High (H) | 0: E:A |
Equivalence Set 5 (cvss:EQ5:1.0.0) JSON Example
{
"namespace": "cvss",
"key": "EQ5",
"version": "1.0.0",
"name": "Equivalence Set 5",
"description": "E with 3 levels specified in Table 28",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
"description": "2: E:U"
},
{
"key": "M",
"name": "Medium",
"description": "1: E:P"
},
{
"key": "H",
"name": "High",
"description": "0: E:A"
}
]
}
Equivalence Set 6 (cvss:EQ6:1.0.0)
VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29
| Value | Definition |
|---|---|
| Low (L) | 1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H) |
| High (H) | 0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H) |
Equivalence Set 6 (cvss:EQ6:1.0.0) JSON Example
{
"namespace": "cvss",
"key": "EQ6",
"version": "1.0.0",
"name": "Equivalence Set 6",
"description": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
"description": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
},
{
"key": "H",
"name": "High",
"description": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
}
]
}
We provide a detailed decision table for each equivalence set in the pages that follow:
- CVSS v4 Equivalence Set EQ1
- CVSS v4 Equivalence Set EQ2
- CVSS v4 Equivalence Set EQ3
- CVSS v4 Equivalence Set EQ4
- CVSS v4 Equivalence Set EQ5
- CVSS v4 Equivalence Set EQ6
CVSS v4 Qualitative Severity Rating
Finally, CVSS v4 provides a Qualitative Severity Rating that maps the six equivalence sets into a single qualitative rating (None, Low, Medium, High, Critical).
CVSS Qualitative Severity Rating Scale (cvss:CVSS:1.0.0)
The CVSS Qualitative Severity Rating Scale group.
| Value | Definition |
|---|---|
| None (N) | None (0.0) |
| Low (L) | Low (0.1-3.9) |
| Medium (M) | Medium (4.0-6.9) |
| High (H) | High (7.0-8.9) |
| Critical (C) | Critical (9.0-10.0) |
CVSS Qualitative Severity Rating Scale (cvss:CVSS:1.0.0) JSON Example
{
"namespace": "cvss",
"key": "CVSS",
"version": "1.0.0",
"name": "CVSS Qualitative Severity Rating Scale",
"description": "The CVSS Qualitative Severity Rating Scale group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
"description": "None (0.0)"
},
{
"key": "L",
"name": "Low",
"description": "Low (0.1-3.9)"
},
{
"key": "M",
"name": "Medium",
"description": "Medium (4.0-6.9)"
},
{
"key": "H",
"name": "High",
"description": "High (7.0-8.9)"
},
{
"key": "C",
"name": "Critical",
"description": "Critical (9.0-10.0)"
}
]
}
A full decision model for the CVSS v4 Qualitative Severity Rating can be found in the CVSS v4 Qualitative Severity Rating page.
What about CVSS v4 MacroVectors?
CVSS v4 MacroVectors are a new addition in CVSS v4 that provide a way to map the six equivalence sets into a single vector value that can be used to assign a CVSS v4 base score. In our implementation here, we simply model the MacroVector as another decision table that takes the individual equivalence set outcomes as inputs and provides the Qualitative Severity Rating as its outcome.
How are CVSS v4 scores handled?
We do not provide numerical CVSS v4 scores in this implementation. The CVSS v4 specification defines a lookup table and a complex algorithm to compute a score between 0.0 and 10.0 based on equivalence set values and the CVSS v4 vector.
In practice, many analysts convert numerical scores into qualitative severity ratings, such as None, Low, Medium, High, or Critical:
| Numerical Score | Qualitative Severity Rating |
|---|---|
| 0.0 | None |
| 0.1 - 3.9 | Low |
| 4.0 - 6.9 | Medium |
| 7.0 - 8.9 | High |
| 9.0 - 10.0 | Critical |
One of our original concerns about CVSS v3—and still relevant in CVSS v4—was that numerical scores were often misused or misinterpreted, leading to poor prioritization decisions. To avoid this, we focus on mapping equivalence set values directly to qualitative severity ratings, which is the outcome many organizations actually care about.
Using SSVC, we can model the same assessment process that an analyst would use with CVSS v4, but entirely bypass the numerical score. The logic is identical: given a set of equivalence values, SSVC produces the same qualitative severity rating as the CVSS v4 Calculator. This demonstrates that numerical scores are not necessary for effective prioritization or decision-making.