Skip to content

Qualitative Severity Ratings

Standard Version Publisher CVSS CVSS Score (Min) CVSS Score (Max) Qualitative Severity Rating
Qualitative Severity Ratings NIST 2 0.0 3.9 Low
Qualitative Severity Ratings NIST 2 4.0 6.9 Medium
Qualitative Severity Ratings NIST 2 7.0 10.0 High
Qualitative Severity Ratings NIST 3 0.0 0.0 None
Qualitative Severity Ratings NIST 3 0.1 3.9 Low
Qualitative Severity Ratings NIST 3 4.0 6.9 Medium
Qualitative Severity Ratings NIST 3 7.0 8.9 High
Qualitative Severity Ratings NIST 3 9.0 10.0 Critical
Qualitative Severity Ratings NIST 4 0.0 0.0 None
Qualitative Severity Ratings NIST 4 0.1 3.9 Low
Qualitative Severity Ratings NIST 4 4.0 6.9 Medium
Qualitative Severity Ratings NIST 4 7.0 8.9 High
Qualitative Severity Ratings NIST 4 9.0 10.0 Critical
PCI DSS 4.0.1 PCI SSC 4.0
ASV v4.0r2 PCI SSC 3.1 0.0 3.9 Low
ASV v4.0r2 PCI SSC 3.1 4.0 6.9 Medium
ASV v4.0r2 PCI SSC 3.1 7.0 10.0 High

NIST

https://nvd.nist.gov/vuln-metrics/cvss

PCI SCC

PCI DSS

4.0.1

PCI DSS 4.0.1 Requirement 11.3.2.1 states "Vulnerabilities that are scored 4.0 or higher by the CVSS are resolved."

ASV

"ASVs must use CVSS version v3.1 for scoring vulnerabilites in their reports:"