R
rachel_sOP
May 27, 2026
Security analyst here working on our vulnerability management program. We use CVSS base scores as part of our prioritization process but I keep running into situations where the vendor-provided CVSS score seems too low for our specific environment.
For example, we recently had a vulnerability with a CVSS 6.8 (medium) that in our context was effectively critical because of our network configuration. We bumped it in our internal tracking but got pushback from leadership who wanted to go with the vendor score.
How do other orgs handle the base score vs contextual risk gap? Any frameworks for explaining environmental scoring to non-technical stakeholders?
D
David K.
May 28, 2026
This is exactly what the CVSS temporal and environmental metrics are designed for. Use the environmental score (with modified base metrics reflecting your actual configuration) to get a more accurate number. Showing leadership a justified CVSS environmental score is more defensible than just saying 'we think it's higher.'
R
rachel_s
May 28, 2026
We created a simple one-pager explaining that CVSS base scores assume generic environments and our environmental scores account for our specific exposure. Leadership understood once we framed it as 'the vendor scores for everyone, we score for us.'
M
Mike_T
May 28, 2026
Also document your reasoning when you override. Audit trails matter for compliance and for retrospectives after incidents. A CVSS 6.8 that led to a breach because your team flagged it as critical but got overruled is a very different conversation with documented rationale.