CVSS v4.0 By The Numbers
CVE/FIRST VulnCon 2025 · Main Stage
In this insightful talk, Nick Leali, a co-chair of the CVSS Special Interest Group (SIG) and an Incident Manager at Cisco PERT, delves into the numerical and qualitative shifts introduced by **CVSS v4.0** compared to its predecessor, **CVSS v3.1**. Leali's presentation, "CVSS v4.0 By The Numbers," provides a data-driven analysis of how the new scoring standard impacts vulnerability assessments, risk management decisions, and operational processes for both vulnerability producers (like product security teams) and consumers (like incident response and vulnerability management teams). The talk highlights that CVSS v4.0 is not merely an incremental update but a fundamentally different framework with altered mathematical assumptions that lead to significant changes in assigned scores and, consequently, in the qualitative categorization of vulnerabilities.
AI review
Leali is the right person to give this talk — CVSS SIG co-chair, Cisco PSIRT practitioner, clearly did the legwork with real datasets. The data-driven framing is the right instinct: instead of just explaining what changed in v4.0, he actually ran the numbers across Cisco internal data, CVE program data, and GitHub advisories to show what the qualitative boundary shifts look like in practice. That's genuinely useful for any org trying to understand what CVSS v4.0 adoption means for their SLAs and compliance obligations. The problem is the ceiling: this is a well-executed practitioner briefing…