AIVSS: Bridging AI Security Gaps for Safer Applications

OWASP AIVSS AI vulnerability scoring AI security risks Agentic AI security AI risk management OWASP AI Framework
Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
November 10, 2025 5 min read

TL;DR

The OWASP AI Vulnerability Scoring System (AIVSS) provides a structured framework for assessing and managing AI security risks, especially for agentic AI. It offers a scoring methodology, a comprehensive framework package with guides and a calculator, and aims to address unique AI risk factors beyond traditional CVSS. The project is actively seeking contributors and has a clear roadmap for future development and industry application.

OWASP AI Vulnerability Scoring System (AIVSS)

The OWASP AI Vulnerability Scoring System (AIVSS) aims to provide a structured methodology for identifying, assessing, and mitigating vulnerabilities in AI systems. The goal is a complete AIVSS Framework Package that serves as a baseline for understanding and managing AI security risks across the entire AI landscape. You can sign up as a contributor to the OWASP AIVSS project. The project welcomes contributors of all experience levels. OWASP Membership is not required. An interactive AIVSS calculator is available to calculate vulnerability scores and generate reports.

Key Deliverables of AIVSS

The OWASP AIVSS project has several key deliverables:

  1. AIVSS Scoring System For OWASP Agentic AI Core Security Risks: A scoring methodology tailored to the unique risks identified in the OWASP Agentic AI Core Risks. This includes rubrics and guidelines for assessing the severity and exploitability of specific vulnerabilities. The initial focus is on metrics directly applicable to scoring the OWASP Agentic AI Core Risks.
  2. Comprehensive AIVSS Framework Package:
    • Standardized AIVSS Framework: A scalable framework validated across a diverse range of AI applications, including and extending beyond Agentic AI.
    • AIVSS Framework Guide: Detailed documentation explaining the metrics, scoring methodology, and application of the framework.
    • AIVSS Scoring Calculator: An open-source tool to automate and standardize the vulnerability scoring process.
    • AIVSS Assessment Report Templates: Standardized templates for documenting AI vulnerability assessments.

Roadmap

The initial roadmap for the AIVSS project includes:

  1. AIVSS Scoring System For OWASP Agentic AI Core Security Risks(Months 1-3): Define core AIVSS metrics, with an initial focus on metrics directly applicable to scoring the OWASP Agentic AI Core Risks.
  2. AIVSS Framework Specialization & Expansion (Months 4-6): Develop specialized scoring rubrics for other specific AI system types (beyond Agentic AI).
  3. AIVSS Scoring Calculator Development (Months 7-9): Develop the core functionality of the AIVSS scoring calculator, ensuring it supports core AIVSS metrics and specialized rubrics.
  4. AIVSS Tool Testing and Refinement (Months 10-12): Test the AIVSS scoring calculator against a diverse set of AI systems, generating assessment reports.
  5. Documentation and Release (Month 12): Finalize the AIVSS Framework Guide and release the AIVSS Scoring Calculator as an open-source project.

Multi-Year Project Roadmap

The AIVSS project has a multi-year roadmap:

  • Year 2: Apply AIVSS to Financial and Healthcare Industries: Develop industry-specific guidelines for applying AIVSS to AI systems in finance and healthcare.
  • Year 2/3: Expand AIVSS for Emerging AI Threats: Continuously update the AIVSS framework to address new AI security threats.
  • Year 3+: AIVSS Certification Program: Explore creating a certification program for professionals proficient in using the AIVSS framework.

AIVSS Calculator Demo

The AIVSS calculator demo allows users to calculate vulnerability scores for AI systems, understand the impact of different security factors, and generate detailed reports.

AIVSS Kickoff Meeting

Ken Huang, Co-Leader of the Project, wrote a blog post about the kickoff meeting. [OWASP AIVSS: The Kickoff Meeting]

AIVSS Scoring System v0.5

The OWASP AI Vulnerability Scoring System (AIVSS) is a standardized framework for assessing and quantifying security risks in AI systems, with a specific focus on agentic AI architectures. Version 0.5 is the initial release of the scoring methodology. The document is designed for security professionals, AI developers, risk assessors seeking to implement security measures for their AI systems. The project repository is actively maintained by the OWASP AIVSS project team.

Key features include:

  • Standardized Risk Assessment: Provides a consistent methodology for evaluating AI vulnerability severity across different systems and contexts.
  • Agentic AI Focus: Tailored specifically for the unique challenges and risk vectors present in autonomous AI agents.
  • Industry Integration: Designed to complement existing security frameworks while addressing AI-specific vulnerabilities.
  • Practical Implementation: Includes actionable guidelines and scoring criteria for security professionals.

The document includes a detailed methodology for calculating AIVSS scores based on multiple risk factors, comprehensive coverage of AI-specific vulnerabilities, step-by-step instructions for conducting AIVSS evaluations, real-world examples, and best practices for incorporating AIVSS into existing security workflows. You can download the AIVSS v0.5 PDF.

AIVSS Closes the Gap

CVSS provides a standardized way to score the technical severity of flaws in software. The NIST AI Risk Management Framework (AI RMF) mandates that organizations “Measure” their risks. AIVSS extends CVSS to measure risks that emerge from an agent’s unique behavioral characteristics.

AIVSS incorporates a range of agentic AI risk factors that are outside the scope of traditional vulnerability scoring, such as:

  • Autonomy: How much damage can an agent do on its own if its goal is manipulated?
  • Tool Use: What is the risk profile of the tools the agent can access?
  • Memory Use: How does the agent’s ability to learn and remember over time create new attack vectors?
  • Dynamic Identity: Can the agent create or assume different identities?
  • Complex Agent-to-Agent Orchestration: How can complex interaction patterns be exploited in multi-agent systems?
  • Non-deterministic Behavior: How do we account for the risk that an agent might behave unpredictably?

AIVSS uses mechanisms like the Agent Characteristics Multiplier (ACM) to convert the answers to these questions into a quantifiable risk factor. You can watch conversations from the recent Checkmarx Agentic AI Summit.

OWASP Global AppSec US Conference

From November 3-7, 2025, join over 800 industry experts at the OWASP Global AppSec US Conference in Washington, D.C.

OWASP AppSec Days France 2025

OWASP AppSec Days France 2025 will be held on Tuesday, September 23, 2025, in Paris, France.

OWASP Certified Secure Software Developer

OWASP is creating a certification program for developers named OWASP Certified Secure-Software Developer - OCSD.

State of Agentic AI Security & Governance Report

The Open Worldwide Application Security Project (OWASP) has published the State of Agentic AI Security and Governance (v1.0). The report provides a comprehensive view of the landscape for securing and governing autonomous AI systems and explores the frameworks, governance models, and global regulatory standards shaping responsible Agentic AI adoption.

The report highlights resources from the OWASP Gen AI Security Project and the Agentic Security Initiative, including Threat Modeling Guides for Agentic AI & Multi-Agent Systems, Agentic Threats Navigator, Securing Agentic Applications Guide, and Vulnerable Agentic Code Samples & Security Tooling References.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related News

CISA Warns: Patch Samsung 0-Day RCE Flaw to Prevent Attacks
Samsung vulnerability

CISA Warns: Patch Samsung 0-Day RCE Flaw to Prevent Attacks

CISA warns of critical zero-day vulnerability in Samsung devices (CVE-2025-21042). Learn how it's exploited and how to protect your data. Patch now!

By Edward Zhou November 12, 2025 2 min read
Read full article
Critical runC Vulnerabilities Allow Container Escape in Docker, Kubernetes
runc vulnerabilities

Critical runC Vulnerabilities Allow Container Escape in Docker, Kubernetes

Urgent! Three severe runC flaws allow container escape in Docker & Kubernetes. Update now to protect your systems from root access. Learn more!

By Alan V Gutnov November 11, 2025 4 min read
Read full article
Criminals Profit from Growing Market for Illicit AI Tools
AI cybercrime

Criminals Profit from Growing Market for Illicit AI Tools

Criminals are leveraging AI to create sophisticated malware and automate attacks. Discover the latest AI threats and how they're evolving. Learn more!

By Alan V Gutnov November 7, 2025 2 min read
Read full article
Google Discovers PROMPTFLUX Malware Leveraging AI for Evasion
AI malware

Google Discovers PROMPTFLUX Malware Leveraging AI for Evasion

Discover how threat actors are weaponizing AI & LLMs like Gemini for sophisticated malware evasion and attacks. Learn about PromptFlux, QuietVault & more. Stay protected!

By Edward Zhou November 6, 2025 3 min read
Read full article