How do you determine the severity of a vulnerability?

We use the Common Vulnerability Scoring System (CVSS) v3.0 for assessing and communicating the characteristics and impacts of security vulnerabilities. The quantitative model of CVSS ensures repeatable and accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores.

CVSS is well suited as a standard measurement system for industries, organisations, and governments that need accurate and consistent vulnerability impact scores.

Two common uses of CVSS are prioritisation of vulnerability remediation activities and in calculating the severity of vulnerabilities discovered on one’s systems. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.