Recently, I looked at Microsoft’s assigned CVSS v3.1 scores for Patch Tuesday vulnerabilities alongside the Microsoft assigned severity ratings. I wanted to revisit these numbers and see just how closely CVSS aligns with Microsoft’s opinion of severity.
Disclaimer: I’m aware that CVSS v4.0 exists. However, Microsoft has not yet adopted it, and I wanted an apples-to-apples comparison.
What Is CVSS v3.1?
CVSS v3.1 provides the Qualitative Severity Rating Scale, which looks like this:
|
Rating |
CVSS Score |
| None | 0.0 |
| Low | 0.1 – 3.9 |
| Medium | 4.0 – 6.9 |
| High | 7.0 – 8.9 |
| Critical | 9.0 – 10.0 |
Source: FIRST.org
Microsoft, on the other hand, provides ratings with descriptions which look like this:
|
Rating |
Description |
| Critical | A vulnerability whose exploitation could allow code execution without user… |