CVSS SIG Survey - 4.0

1. In what ways are you using CVSS?
Select all that apply. *This question is required.

• (publisher) Generate CVSS Scores for products.
• (consumer) Use CVSS to prioritize vulnerabilities for remediation in your organization.
• (analyst / researcher) Coordinators, consultancies, etc

2. As a publisher, which version of CVSS do you use to generate and publish vulnerability assessment information? 
Select all that apply. *This question is required.

• v2
• v3
• v3.1
• v4
• None

3. Are you using the following metrics?  *This question is required.

Space Cell	Yes	No	Not Sure	No (Unable to Access Data)
Base Metrics	Base Metrics: Yes	Base Metrics: No	Base Metrics: Not Sure	Base Metrics: No (Unable to Access Data)
Threat Metric Group	Threat Metric Group: Yes	Threat Metric Group: No	Threat Metric Group: Not Sure	Threat Metric Group: No (Unable to Access Data)
CIA Requirements	CIA Requirements : Yes	CIA Requirements : No	CIA Requirements : Not Sure	CIA Requirements : No (Unable to Access Data)
Modified Base Metrics	Modified Base Metrics: Yes	Modified Base Metrics: No	Modified Base Metrics: Not Sure	Modified Base Metrics: No (Unable to Access Data)
Safety Metric	Safety Metric : Yes	Safety Metric : No	Safety Metric : Not Sure	Safety Metric : No (Unable to Access Data)
Supplemental Metrics	Supplemental Metrics: Yes	Supplemental Metrics: No	Supplemental Metrics: Not Sure	Supplemental Metrics: No (Unable to Access Data)

4. When you consume CVSS, which version of CVSS do you use?
Select all that apply. 

• v2
• v3.0
• v3.1
• v4.0
• None

5. Have you tried using CVSS v4.0?  *This question is required.

• Yes
• No

6. Is the value of CVSS v4.0 worth the additional complexity and effort required for adoption? *This question is required.

• Yes
• No

7. If you have had difficulty adopting CVSS v4.0, which of the following would be most effective in assisting adoption?
Select all that apply. *This question is required.

• Specification document with simpler language
• Simpler CVSS User Guide
• More or improved CVSS examples
• Software library availability and support for integrating the score calculation logic in custom tools
• Other - Write In Please enter an 'other' value for this selection.

8. If you are a publisher that is not using CVSS v4.0, what are your challenges for using it in your assessments?
Select all that apply.

• Inadequate tool support
• Contractual obligations to previous versions
• Complexity or lack of understanding of the new metrics
• Uncertainty in early adoption of new standard
• Lack of demand from scoring consumers or providers
• Resource limitations or organizational challenges
• Numerical scores are inadequate at capturing vulnerability impact
• Other - Write In Please enter an 'other' value for this selection.