Not everyone in IT has heard of the Common Vulnerability Scoring System (CVSS), launched formally earlier this year, but it could turn into one of the most interesting stories of 2006 nonetheless.

The name has a bureaucratic ring to it but don’t be put off. CVSS is an eminently sensible attempt to give hard-pressed corporates a way to work out which of the many vulnerabilities they should patch, and in what order. This is achieved using a scoring system, which rates all such holes, and is designed to be used by all vendors.

Vendors currently have their own systems. But as most large companies use equipment from multiple vendors, that system leads to obvious extra workload and confusion. And still they don’t necessarily know which ones are the ones to watch for.

When Techworld spoke to Gerhard Eschelbeck, CTO of Qualys and one of the individuals who helped developed the CVSS, he was at pains to stress that it is not a way of measuring threats. It is for assessing vulnerabilities, a different way of looking at the security problem.

How CVSS assesses vulnerabilities is best explored by visiting the website of the organisation tasked to look after its ongoing development.

There is a wee problem in all this: Microsoft. Vendors have to adopt the system in an evolutionary way for it to succeed and Microsoft is a notable absentee from the impressive list of those already involved.

“My understanding is that Microsoft is evaluating CVSS,” says Eschelbeck. That could just be a polite way for the company to sit on the fence. Ironic perhaps, given that patch Tuesday has turned into one of the security events of any month.

Still, as Eschelbeck points out, it is a system that will in the end be driven by an even more powerful force than Redmond – the customer.