This standard specifies the grading elements and hazard levels of information system security vulnerabilities (referred to as vulnerabilities). This standard applies to information security vulnerability management organizations and information security vulnerability release agencies to assess and identify the degree of harm of information security vulnerabilities, and is suitable for information security product production, technology research and development, system operation and other organizations and institutions to refer to in related work.