CVSS 3.0 vs 3.1: what actually changed
Last reviewed June 2, 2026
CVSS v3.1, released in 2019, is a clarification of CVSS v3.0 (2015), not a redesign. The metrics, the 0.0 to 10.0 scale, the scoring formula, and the five severity bands are the same. What changed is the wording and guidance: v3.1 sharpened the definitions of Scope, Attack Complexity, Privileges Required, and the environmental metrics so analysts score consistently. Vectors are interchangeable apart from the version prefix.
The short version
CVSS v3.0 was published by FIRST in 2015 and introduced the modern model: the None and Critical ratings, Privileges Required, User Interaction, and the Scope metric. CVSS v3.1 arrived in 2019 to fix a different problem. The model was sound, but analysts were applying some metrics inconsistently because the definitions left room for interpretation.
So v3.1 is best understood as an errata-and-clarity release. It did not change the metrics, the metric values, the 0.0 to 10.0 scale, the scoring equations, or the severity bands. A vulnerability scored the same way under both versions produces the same number. The version prefix on the vector simply changes from CVSS:3.0 to CVSS:3.1.
CVSS 3.0 vs 3.1 side by side
| Aspect | CVSS 3.0 (2015) | CVSS 3.1 (2019) |
|---|---|---|
| Scale | 0.0 to 10.0 | 0.0 to 10.0 (identical) |
| Severity bands | None / Low / Medium / High / Critical | Same five bands |
| Base metrics | AV, AC, PR, UI, S, C, I, A | Same metrics and values |
| Scoring formula | Defined formula | Same formula |
| Scope (S) definition | Introduced but often misread | Wording clarified for consistency |
| Environmental metrics | Present | Refined guidance, same structure |
| Nature of release | New scoring model | Clarification and errata, not a redesign |
| Vector prefix | CVSS:3.0 | CVSS:3.1 |
What v3.1 actually clarified
The headline fixes were definitional. The Scope metric, which captures whether an exploited vulnerability can impact resources beyond its own security authority, was widely misunderstood under v3.0, so v3.1 rewrote its definition and examples. The guidance for Attack Complexity, Privileges Required, and the environmental Security Requirements was likewise tightened to reduce scoring disagreements.
- Scope (S): clearer language about what counts as a security authority boundary.
- Attack Complexity (AC): sharper distinction between conditions inside and outside the attacker's control.
- Privileges Required (PR): clarified how to treat privileges relative to the vulnerable component.
- Environmental metrics: refined guidance so re-scoring for your own deployment is more repeatable.
Which version should you use?
Prefer v3.1 whenever you are scoring fresh, because it is the de facto standard and the most widely published version, and its clearer definitions reduce disagreement. You will still see plenty of v3.0 scores on older records; because the formula is identical, you can treat a v3.0 and a v3.1 score for the same vector as equivalent. That is not true across the v3.x to v4.0 boundary, where the metrics and math genuinely differ.
Keep exploring
- CVSS versions explainedThe full history from v2.0 to v4.0.
- CVSS 4.0 vs 3.1The version jump that did change the model.
- CVSS 3.1 calculatorScore a vector under the clarified v3.1 model.
- CVSS 3.0 calculatorConfirm the identical score under v3.0.
- How is a CVSS score calculated?The exploitability and impact sub-scores behind the number.
Frequently asked questions
- Is there a real difference between CVSS 3.0 and 3.1?
- Not in the math. CVSS 3.1 uses the same metrics, formula, scale, and severity bands as 3.0. The difference is clearer definitions and guidance, especially for the Scope metric, so analysts score more consistently.
- Will a vulnerability get a different score in 3.0 versus 3.1?
- No. Because the scoring formula and metric values are unchanged, the same vector produces the same score in both versions. Only the version prefix on the vector differs.
- Why was CVSS 3.1 released if the formula did not change?
- To fix inconsistent scoring. Several v3.0 definitions, notably Scope, were misread, so v3.1 rewrote the wording and examples to make scoring repeatable without altering the model.
- Can I compare a CVSS 3.0 score to a 3.1 score?
- Yes. They are directly comparable because the model is identical. This is different from comparing v3.x to v4.0, which use different metrics and a different scoring engine.
