OWASP AI Vulnerability Scoring System (AIVSS)

OWASP AIVSS v0.8 (March 19, 2026) is the first AI-specific vulnerability scoring system. It extends CVSS 4.0 with agentic amplification factors that CVSS was not designed to capture, producing contextual severity scores on a 0-10 scale.

This fills a critical measurement gap: CVSS 4.0 treats a vulnerability as a static property of code, but AI vulnerabilities are contextually dependent on how the AI system is deployed, what capabilities it has, and how autonomously it operates.

Agentic Risk Amplification Factors

AIVSS v0.8 scores ten Agentic Risk Amplification Factors, each on a 3-point scale — 0.0 (none / not present), 0.5 (partial / limited), 1.0 (full / unconstrained). Their unweighted total is Factor_Sum (max 10). The factors below are the official v0.8 set; an earlier wiki revision listed a paraphrased subset of five.

FactorDescription
Execution AutonomyAbility to execute actions without human verification
External Tool Control SurfaceBreadth and privilege of external APIs / tools the agent can access
Natural Language InterfaceReliance on unstructured natural language for goal formulation and instruction
Contextual AwarenessUse of environmental sensors or broad data context to drive decisions
Behavioral Non-DeterminismVariance in output or action for identical inputs
Opacity & ReflexivityLack of internal visibility or ability to audit decision logic
Persistent State RetentionAbility to retain memory or state across sessions
Dynamic IdentityAbility to assume different user roles or permissions at runtime
Multi-Agent InteractionsCoordination with or dependency on other autonomous agents
Self-ModificationAbility to alter its own code, prompts, or tool configurations

Scoring Formula

AIVSS v0.8 consumes a CVSS v4.0 base score unchanged and adds an agentic uplift over the “Agentic Risk Gap” — the headroom between the base score and 10:

AARS  = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
AIVSS = (CVSS_Base + AARS) × Mitigation_Factor          (bounded 0–10)
  • Threat Multiplier (ThM): 1.0 Attacked, 0.97 Proof-of-Concept (default), 0.50 Unreported.
  • Mitigation Factor: 1.0 No/Weak (default), 0.83 Partial, 0.67 Strong — a coarse scalar that scales the score by mitigation strength; it enumerates no controls.

The v0.5 spec used a different simple-average form (((CVSS_Base + AARS) / 2) × ThM, with ThM = 0.91 for Unreported); cite the v0.8 Risk-Gap form above. AIVSS scores severity and delegates the control catalog to AIUC-1 via the published AIUC-1 ↔ AIVSS crosswalk. See the 2026-Q2 standards review.

Status and Roadmap

  • v0.8 published March 19, 2026 — community review phase
  • Next community review period opens: April 16, 2026
  • OWASP AIBOM Generator is a companion tool (CycloneDX format) for inventory
  • A ratified v1.0 would be the first standardized AI vulnerability scoring methodology

Why This Matters

The absence of an AI-specific scoring system means:

  • CVE reporters default to CVSS 4.0, which may systematically underweight agentic vulnerabilities
  • Risk prioritization across organizations is inconsistent
  • No common language for comparing AI vulnerability severity

AIVSS provides the scoring methodology needed to make the ASI Top 10 quantitatively actionable.

Strengths

  • First and only AI-specific vulnerability scoring extension
  • Addresses the fundamental limitation of CVSS for agentic systems
  • OWASP community governance ensures vendor-neutral development
  • Direct integration with CVSS 4.0 eases adoption for security teams already using CVSS

Gaps and Shortcomings

  • Still v0.8 — in community review; has not achieved the adoption level of CVSS
  • Formal validation of amplification factor weights is ongoing
  • No CVSS integration specification yet (how AIVSS scores relate to NVD/CVE records)
  • Implementation tooling limited to community review documentation

See Also

Sources