How To Explain CVSS Scores To Your Grandmother

Imagine your grandma asks:

“Honey, what’s that CVSS thing you keep complaining about?”

Here’s how you explain it so she understands… and so do your clients.

The Simple Explanation

CVSS stands for Common Vulnerability Scoring System. It’s a way to measure how bad a vulnerability is, using a number from 0 to 10.

  • 0 means “Who cares?”
  • 10 means “We’re all gonna die.”

It tries to quantify:

  • How easy it is to exploit
  • What the impact would be
  • Whether it can be exploited remotely

But Here’s The Problem

Imagine you see two vulnerabilities with CVSS 9.8:

  1. On the North American power grid control system.
  2. On your ex-wife’s outdated blog about cats and astrology.

Same score. Very different impact.

Why?

Because CVSS only scores the vulnerability itself, not:

  • The business criticality of the asset
  • Its exposure in your environment
  • Whether it’s segmented behind 47 firewalls or directly on the internet

How Pen Testers Do It Wrong

Pen testers love CVSS. Why?

Because it’s easy to report:

  • “This is a 9.8. Fix it now.”
  • “This is a 4.3. Meh.”

But without enriching findings with asset context, the score is meaningless noise.

For Example:

High CVSS, low business risk

  • SMBv1 enabled on an isolated lab machine with no network access.

Low CVSS, high business risk

  • Information disclosure vulnerability on your public HR portal leaking employee SSNs.

Why Clients Do It Wrong Too

Because clients rarely provide asset criticality data to pen testers.

Instead of telling us:

  • “This server runs national grid infrastructure.”
  • “This box is a dev test instance no one uses.”

…we’re left scoring everything in a vacuum.

And so we give you raw CVSS scores, while you assume they reflect actual business risk.

Spoiler: They don’t.

The Reality

CVSS is a technical severity metric, not a business risk score.

Business risk =

Technical severity × Asset value × Compensating controls × Exposure context

But that requires:

  1. Asset inventories with criticality labels
  2. Context sharing with your security partners

Which, let’s be honest, most orgs still struggle to maintain.

Final Thoughts

If your vulnerability management program treats CVSS as gospel without enriching it with real asset data, it’s like grading fire hazards by flame temperature alone:

“Yes, this candle and that industrial gas leak both have flames at 1,400°C, so… same risk, right?”

✔ Wrong.

So, Grandma, What’s CVSS?

“It’s like rating how dangerous something could be, without knowing if it’s in your living room or on the moon.”

And that’s why pen testers need your asset data. Otherwise, your next report is just a list of numbers with no meaning… kind of like your ex-wife’s opinions.