OWASP AI Vulnerability Scoring System (AIVSS)
OWASP AIVSS v0.8 (March 19, 2026) is the first AI-specific vulnerability scoring system. It extends CVSS 4.0 with agentic amplification factors that CVSS was not designed to capture, producing contextual severity scores on a 0-10 scale.
This fills a critical measurement gap: CVSS 4.0 treats a vulnerability as a static property of code, but AI vulnerabilities are contextually dependent on how the AI system is deployed, what capabilities it has, and how autonomously it operates.
Agentic Amplification Factors
AIVSS v0.8 adds the following dimensions on top of the CVSS 4.0 base:
| Factor | Description |
|---|---|
| Autonomy Level | How independently does the agent act? Higher autonomy amplifies severity |
| Tool Use Scope | What tools/APIs can the agent invoke? Broader scope = higher severity |
| Multi-Agent Interactions | Does the vulnerability propagate across agent networks? |
| Non-Determinism | Does the vulnerability manifest inconsistently, complicating detection? |
| Self-Modification Capability | Can a compromised agent alter its own instructions or memory? |
Status and Roadmap
- v0.8 published March 19, 2026 — community review phase
- Next community review period opens: April 16, 2026
- OWASP AIBOM Generator is a companion tool (CycloneDX format) for inventory
- A ratified v1.0 would be the first standardized AI vulnerability scoring methodology
Why This Matters
The absence of an AI-specific scoring system means:
- CVE reporters default to CVSS 4.0, which may systematically underweight agentic vulnerabilities
- Risk prioritization across organizations is inconsistent
- No common language for comparing AI vulnerability severity
AIVSS provides the scoring methodology needed to make the ASI Top 10 quantitatively actionable.
Strengths
- First and only AI-specific vulnerability scoring extension
- Addresses the fundamental limitation of CVSS for agentic systems
- OWASP community governance ensures vendor-neutral development
- Direct integration with CVSS 4.0 eases adoption for security teams already using CVSS
Gaps and Shortcomings
- Still v0.8 — in community review; has not achieved the adoption level of CVSS
- Formal validation of amplification factor weights is ongoing
- No CVSS integration specification yet (how AIVSS scores relate to NVD/CVE records)
- Implementation tooling limited to community review documentation
See Also
- OWASP (publisher)
- OWASP Top 10 for Agentic Applications (ASI Top 10) — ASI Top 10 provides the risk taxonomy that AIVSS scores
- OWASP Top 10 for LLM Applications — AIVSS also applies to LLM vulnerabilities