Cyver Core implements the CVSS or “Common Vulnerability Scoring System”. You can set this score when uploading, importing, or editing a Finding.
The CVSS Score is a numerical (1-10) value, representing the severity of a Finding. In most cases, it’s used to help clients prioritize remediation. CVSS scores are based on three sets of metrics, Base, Temporal, and Environmental. Each uses its own scoring component.
Rating |
CVSS Score |
None |
0.0 |
Low |
0.1-3.9 |
Medium |
4.0-6.9 |
High |
7.0-8.9 |
Critical |
9.0-10.0 |
Base Metrics
Base Metrics define the characteristics of a vulnerability. These remain static over time. Refer to the National Vulnerability Database for existing standards for vulnerabilities.
Base Metrics are further broken down into three subscoring categories, with a low risk being a low score.
- Exploitability – Comprising characteristics of the vulnerable component
- Attack Vector – access Level required to exploit a vulnerability
- Attack Complexity – reliance on factors outside the attacker’s control
- Privileges Required privileges required to conduct the exploit
- User Interaction – User participation required
- Scope – How easily the vulnerability is propagated in other elements
- Impact – Detailing actual outcomes of exploiting a vulnerability
- Confidentiality – Quantity/Value of data the vulnerability gives access to
- Integrity – How easily the attacker can change data in the impacted system
- Availability – Measuring potential loss of availability of the exploited system
Temporal Metrics
Temporal metrics track how vulnerabilities change over time.
- Exploit Code Maturity – availability of code to exploit the vulnerability
- Remediation Level – availability of a remediation, patch, or fix
- Report Confidence – validation demonstrating the vulnerability is real and exploitable
Environmental Metrics
Environmental metrics update base and temporal metrics based on security requirements for the asset or organization.
- Security Requirements – the security requirements of the asset in question
- Modified Base Metrics – reducing or increasing base metrics based on system factors and mitigating measures
Ideally, CVSS scores are set based on the organization in question, helping Clients to see which Findings they should prioritize for remediation.
CVSS scores are used in the dashboard and in the Threat Risk Profile for each client. Click here for the CVSS 3.1 Scoring Calculator by First.org