CVSS Scoring

CVSS stands for The Common Vulnerability Scoring System and is an industry open standard designed to convey vulnerability severity and risk. CVSS was commissioned by the National Infrastructure Advisory Council (NIAC) tasked in support of the global Vulnerability Disclosure Framework. It is currently maintained by FIRST (Forum of Incident Response and Security Teams).

Where can I learn more about CVSS standards?

The service supports CVSS Version 2 and CVSS Version 3.1.

For general CVSS standards information, visit the FIRST CVSS Home page at:

http://www.first.org/cvss/

For specific information on the CVSS standards read here:

http://www.first.org/cvss/user-guide.html

How do I enable CVSS Scoring?

Managers enable the CVSS Scoring feature for the subscription on the CVSS Setup page (Reports > Setup > CVSS). Note that CVSS Scoring is not enabled by default in a new subscription.

Once enabled, where can I see CVSS scores?

You'll see CVSS v2 and CVSS v3.1 scores along with the vector strings for vulnerabilities and potential vulnerabilities throughout the UI and in your reports. We do not display CVSS scores for information gathered. CVSS Base and Temporal scores are displayed in scan reports that include vulnerability details. CVSS vector string is displayed in CSV format for scan report. CVSS scores are included in template-based scan reports with host-based and scan-based findings. CVSS v2 and CVSS v3.1 scores along with the vector strings are also displayed in the PCI scan report.

Learn more about CVSS vector strings

Tell me about CVSS scoring metrics

These values are needed to calculate the CVSS score for a vulnerability: Base Score, Temporal Score and Environmental metrics. The Base and Temporal scores are provided by our security service. Environmental metrics are user-defined and assigned to asset groups.

Diagram showing CVSS metrics for calculating Final CVSS score

 

Tell me about service-provided valuesTell me about service-provided values

CVSS Base Score measures the fundamental, unchanging qualities of a vulnerability. The Base score is modified by the CVSS Temporal Score and Environmental metrics when the final CVSS score is calculated.

CVSS Temporal Score measures time dependent qualities of a vulnerability, which may change over time. The Temporal score allows for mitigating factors to reduce the overall CVSS score for a vulnerability.

CVSS Access Vector is part of the CVSS Base metric group and reflects the level of access required to exploit a vulnerability. CVSS Access Vector values are Local Access, Adjacent Network and Network. Note that CVSS Access Vector only appears on the Vulnerability Information page.

Tell me about user-provided environmental metricsTell me about user-provided environmental metrics

CVSS Environmental Metrics capture the characteristics of a vulnerability that are associated with the user's IT environment. Users set these values in asset groups - the values set for a group apply to all hosts in the group.

Collateral Damage Potential represents the possibility for loss in physical equipment and property damage.

Target Distribution represents the relative size of the field of the target systems susceptible to the vulnerability.

The following Security Requirements metrics enable users to customize the final CVSS score, depending on the importance of the affected host to the user's organization.

Confidentiality Requirement represents the impact that loss of confidentiality has on the organization or individuals associated with the organization (for example employees, customers).

Integrity Requirement represents the impact that loss of integrity has on the organization or individuals associated with the organization (for example employees, customers).

Availability Requirement represents the impact that loss of availability has on the organization or individuals associated with the organization (for example employees, customers).

How is the score calculated when a QID has multiple CVE IDs associated with it?

We use the highest CVE base score for CVSSv2, except when the QID has a mix of Denial of Service (DoS) CVEs and other types of vulnerabilities (non-DoS) CVEs. In such cases, we exclude all the Denial of Service CVEs and use the highest non-DoS CVE base score. This is done to ensure the QIDs are marked accurately for PCI DSS compliance since PCI DSS does not consider CVSS scores for DoS vulnerabilities.