CVSS 4.0 is here, but most of the industry still scores with CVSS 3.1. If you write vulnerability reports for pentest clients or bug bounty programs, you need to understand what changed, why it matters, and which version your audience expects. This guide compares the two specifications based on the official FIRST CVSS v4.0 specification and the established CVSS v3.1 specification, with practical advice for report writers.
Score your findings with our CVSS calculator and include the vector string in every report — whether you use 3.1 or 4.0, transparency about your scoring rationale prevents disputes during triage.
What CVSS does (and does not do)
The Common Vulnerability Scoring System provides a standardized way to rate severity. It answers: "How bad is this vulnerability in isolation?" It does not answer: "How bad is this for our specific organization?" That requires threat modeling and environmental context — which both CVSS versions address through supplemental metrics.
CVSS scores appear in NVD entries, bug bounty platforms, pentest reports, and SOC triage queues. Consistent scoring helps teams prioritize remediation. Inconsistent scoring — or scores without vector strings — creates confusion and rework.
Major changes in CVSS 4.0
CVSS 4.0, published by FIRST, introduces several structural changes from 3.1:
New base metrics
- Attack Requirements (AT) — separates conditions beyond attacker control (e.g., specific network placement) from attack complexity
- Safety (S) — for vulnerabilities affecting safety-critical systems (medical devices, industrial control)
- Automatable (AU) — whether the attack can be fully automated at scale
- Recovery (R) — replaces the old Availability impact scope with explicit recovery effort
- Value Density (V) — concentration of value accessible to the attacker
- Vulnerability Response Effort (RE) — difficulty of remediation for the vendor
Renamed and refined metrics
- User Interaction (UI) now has three values: None, Passive, Active — distinguishing "user must click" from "user must actively participate in the attack chain"
- Privileges Required (PR) adds "High" granularity for admin-level access
- Scope (S) from 3.1 is replaced by explicit impacts on subsequent systems
Threat metrics separated from base
CVSS 4.0 moves Exploit Maturity out of the base score and into a dedicated Threat metric group. This means the base score reflects intrinsic vulnerability severity, while exploit availability is layered on separately — a cleaner separation that reduces score inflation for theoretical vulnerabilities with public exploits.
How scores differ in practice
Not every finding scores differently between versions, but common shifts include:
- Reconnaissance-heavy attacks may score lower in 4.0 when Attack Requirements capture the setup effort
- Chained vulnerabilities benefit from 4.0's Supplemental metric group, which explicitly accounts for vulnerability chains
- Safety-critical contexts can score higher with the new Safety metric — relevant for OT/ICS and healthcare reports
- UI: Active vs Passive distinguishes social-engineering-heavy bugs from click-to-exploit issues more precisely
For a concrete scoring example in report format, see our vulnerability assessment report example, which uses CVSS 3.1 vectors with full notation.
Calculate CVSS scores for your findings
Use the PoCcraft CVSS calculator to generate vector strings and severity ratings, then paste them directly into your reports.
Open CVSS CalculatorWhich version should you use?
Use CVSS 3.1 when:
- Your client, platform, or compliance framework explicitly requires it (most still do)
- You are scoring CVEs that NVD has rated with 3.1 vectors
- Your report template and tooling default to 3.1
- The bug bounty program's severity rubric maps to CVSS 3.x
Consider CVSS 4.0 when:
- Your client has adopted 4.0 or requests it explicitly
- You are assessing safety-critical or OT/ICS environments where the Safety metric adds value
- You need to document vulnerability chains with the Supplemental metric group
- Your organization is standardizing on 4.0 for new engagements
The practical answer in 2026: default to CVSS 3.1 unless told otherwise, but learn 4.0 now so you are ready when clients and platforms migrate. Always state which version you used in the report's methodology section.
CVSS and OWASP categories
CVSS scores severity; OWASP categories classify vulnerability types. They complement each other in reports. A stored XSS might be OWASP A03:2021 (Injection) with a CVSS base score of 7.1 — the category tells developers what class of fix to apply, the score tells management how urgently to fund it. See our OWASP Top 10 guide for report writers for mapping findings to the right categories.
The OWASP Top 10 does not prescribe a CVSS version, but most OWASP-aligned reports still include CVSS 3.1 vectors in 2026. When OWASP documentation references severity, it typically points to industry-standard scoring — currently CVSS 3.1 in most published materials.
Tips for report writers
Always include the vector string. A score of "7.5 High" without CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N is not reproducible. Triage engineers and clients need the vector to validate or challenge your rating.
Document environmental adjustments separately. If you lower a score because the vulnerability is on a staging server behind VPN, note that in a "Environmental Score" or "Residual Risk" section — do not silently change the base score.
Do not treat CVSS as gospel. A CVSS 5.3 vulnerability on a payment processing endpoint may deserve more urgency than a 8.1 bug on an internal dev tool. Use CVSS as input to prioritization, not the sole decision factor.
Align with your pentest report structure. Place the CVSS vector in a consistent field for every finding — severity label, numeric score, and full vector on one line.
The bottom line
CVSS 4.0 adds granularity with new metrics like Attack Requirements, Safety, and separated Threat scoring — but CVSS 3.1 remains the industry default for most pentest and bug bounty work in 2026. Learn both, state which version you used, always include vector strings, and score with our CVSS calculator. Reference the official FIRST CVSS documentation when clients ask why your rating differs from NVD.