With the first TSR release of 2015 we began providing CVSSv2 scores in our full disclosure of resolved security issues in cPanel & WHM. The CVSSv2 scoring system is a free and open standard that attempts to rate the severity of security vulnerabilities (finalized in June 2007). In June 2015 this scoring system was updated to version 3, and includes several changes to the way that the scores are determined. Specifically, the underlying vectors used to derive the numerical scores of the metric groups have been changed, and the updated scoring system is intended to reflect a more accurate estimation of the severity of vulnerabilities.
Beginning with the second TSR release of 2017 (TSR-2017-0002, expected on March 21st), we will provide a CVSSv3 Base vector score range in our TSR announcements, and the full Base vector string and score for each resolved vulnerability in our full disclosure announcements. If you would like to learn more about the various vectors used to calculate CVSSv3 scores along with the underlying reasoning as applicable to the CVSS standard, please see https://www.first.org/cvss and https://www.first.org/cvss/calculator/3.0.