Vulnerability Scoring: Comparing CVSS V2 & V3 for Medical Devices Pt.2

Vulnerability Scoring: Comparing CVSS V2 & V3 for Medical Devices Pt.2

December 30, 2019 | Posted by Chris Gates

Welcome back to our series on scoring vulnerabilities in medical device designs! In this post, we’re going to summarize the final four of nine key differences in CVSS Version 3 compared to Version 2 and describe the relative advantages or disadvantages of each change. By the time we get done analyzing all nine, we think you’ll see why CVSS v2 is still so widely used, especially for medical device design assessments.

The change summary information contained in these sections is based on the summary provided by FIRST. (If you’d like a refresher on the first five, click here[JS1] for our previous post).


VI. Impact: Percentage vs. Degree

  • Version 2: Impact metrics reflected the percentage of impact to the system, and are described as None, Partial, or Complete.
  • Version 3: Impact metric values now reflect the degree of impact, and are renamed to None, Low, and High.

Impact on medical device design scoring: None.


VII. Removal of Collateral Damage

  • Version 2: Assessing Target Distribution and potential Collateral Damage as Environmental metrics was not found to be useful.
  • Version 3: Target Distribution and Collateral Damage have been replaced with Modified Base Metrics, which accommodates mitigating controls or control weaknesses that may exist within the user's environment that could reduce or raise the impact of a successfully exploited vulnerability.

Impact on medical device design scoring: Removal of Target Distribution has no impact, as this metric would only be related to products that have been fielded with multiple versions of software or other components that may or may not be affected by a threat.

However, removal of “Collateral Damage” (which, as explained in a previous post, is a metric to indicate “Severity”) makes v3 useless for scoring design vulnerabilities for medical devices.

Although the change does better highlight FIRST’s intention to account for mitigating and modifying environmental factors, without support for a metric where direct impacts to patient risk or business risk can be expressed, CVSS v3 is invalid as a rubric for scoring medical device vulnerabilities.


VIII. Atomic vs. Chained Vulnerabilities

  • Version 2: No accommodation made to account for multiple vulnerabilities used in the same attack
  • Version 3: While not a formal metric, guidance on scoring multiple vulnerabilities is provided with Vulnerability Chaining.

Impact on medical device design scoring: None. Version 3.x documentation does state that chained vulnerabilities should be identified, and this advice can and should also be applied to v2 scoring as appropriate.


IX: Qualitative Mapping

  • Version 2: No formal qualitative scoring guidelines provided.
  • Version 3: Numerical ranges have been mapped to a 5-point qualitative rating scale.

Impact on medical device design scoring: Minimal impact. While CVSS v2 documentation did not address qualitative scoring ranges, such a qualitative relationship had been defined by the National Vulnerability Database (NVD). NVD defines the criticality of the resultant score as “Low” for 0.0 to 3.9; “Medium” for 4.0 to 6.9; and “High” for 7.0 to 10.0.

CVSS v3 documentation suggests 5 qualitative ranges: “None” for 0.0; Low for 0.1 to 3.9; “Medium” for 4.0 to 6.9; “High” for 7.0 to 8.9; and “Critical” for 9.0 to 10.0. FIRST also allows for alternative qualitative mappings to be established.

For the purposes of design vulnerability scoring for medical devices, the default CVSS v2 threshold is set to 4.0, which is also the same qualitative value of “Medium” in CVSS v3. Any score above this level requires additional investigation with the intent of implementing mitigating controls.



The above differences between CVSS v2 and v3 were created by FIRST to address threats in an MIS/IT system in a live production environment. At best the changes implemented in v3 have no impact, but at worst they invalidate CVSS v3 as a viable vulnerability scoring rubric for medical device design assessments.

It is because of these changes that CVSS v2 remains in common use in the area of security, but especially for use with scoring design vulnerabilities in medical devices.


In our next post, we’ll take a look at other vulnerability scoring rubrics available, touch on their approaches, and describe their shortcomings and suitability for medical device design assessments, and see how they compare to CVSS v2.


Get Started On Your Next Project