nerdexam
(ISC)2

CISSP · Question #24

Which of the following is a limitation of the Common Vulnerability Scoring System (CVSS) as it relates to conducting code review?

The correct answer is C. It aims to calculate the risk of published vulnerabilities.. The Common Vulnerability Scoring System (CVSS) is a framework that provides a standardized and consistent way of measuring and communicating the severity and risk of published vulnerabilities. CVSS assigns a numerical score and a vector string to each vulnerability, based on vari

Submitted by packet_pusher· Mar 5, 2026Security Assessment and Testing

Question

Which of the following is a limitation of the Common Vulnerability Scoring System (CVSS) as it relates to conducting code review?

Options

  • AIt has normalized severity ratings.
  • BIt has many worksheets and practices to implement.
  • CIt aims to calculate the risk of published vulnerabilities.
  • DIt requires a robust risk management framework to be put in place.

How the community answered

(62 responses)
  • A
    8% (5)
  • B
    3% (2)
  • C
    84% (52)
  • D
    5% (3)

Explanation

The Common Vulnerability Scoring System (CVSS) is a framework that provides a standardized and consistent way of measuring and communicating the severity and risk of published vulnerabilities. CVSS assigns a numerical score and a vector string to each vulnerability, based on various metrics and formulas. CVSS is a useful tool for prioritizing the remediation of vulnerabilities, but it has some limitations as it relates to conducting code review. One of the limitations is that CVSS aims to calculate the risk of published vulnerabilities, which means that it does not cover the vulnerabilities that are not yet discovered or disclosed. Code review, on the other hand, is a process of examining the source code of a software to identify and fix any errors, bugs, or vulnerabilities that may exist in the code. Code review can help find vulnerabilities that are not yet published, and therefore not scored by CVSS.

Topics

#CVSS#vulnerability scoring#code review#risk assessment

Community Discussion

No community discussion yet for this question.

Full CISSP Practice