PlexTrac ConceptsCommon Vulnerability Scoring System (CVSS)

The common vulnerability scoring system (CVSS) is a method for security professionals to track vulnerability levels of findings in a simple and easy-to-understand way. CVSS is an open source framework for communicating the characteristics and severity of vulnerabilities. It consists of three metric groups: Base, Temporal, and Environmental. The base metrics produce a score ranging from 0-10, which can be modified by scoring the temporal and environmental groups.

A CVSS score is the summation of three metric groups: Base, Temporal, and Environmental. The score ranges from 0 to 10, with 10 indicating the most severe.

1. Base: The base score is crucial to beginning the CVSS calculation. It describes the intrinsic qualities of a vulnerability that are constant over time and across different user environments. The base calculations consider the actual attack vector, attack complexity, and the overall impact.
2. Temporal: Once the base calculation has been determined, the supplementary temporal score can be calculated. The temporal calculation reflects the characteristics of a vulnerability that change over time. Temporal characteristics include remediation level, exploit code maturity, and report confidence.
3. Environmental: The last aspect of the CVSS calculation is environmental. The environmental calculation represents vulnerability aspects that are unique to a user’s environment, including the modified base metrics, as well as the confidentiality, integrity, and availability requirements.

The common vulnerability scoring system (CVSS) provides a simple way to categorize, rank, and standardize vulnerability scoring for organizations across different industries. The formula for calculating the CVSS score is open and freely accessible to everyone. The CVSS provides clarity and transparency for understanding the scores and how they were calculated. Also, the CVSS system enables a view into both simple and more specific metrics, allowing organizations the freedom to determine scores based on a variety of circumstances.

The CVSS scoring data is in tables and analytics across the platform, allowing users to sort and filter by risk scores. Other scoring framework options are still available in the PlexTrac platform and all scoring data can be overridden if necessary.

PlexTrac’s wide range of vulnerability scanner integrations help pentesting teams and organizations import all their findings, ensuring a seamless compilation and organization of vulnerabilities. All PlexTrac integrations have been standardized to consistently import CVSS, CVE, and CWE data, reducing manual copy and pasting and optimizing reporting workflows.

Request a demo today to learn more about how PlexTrac aggregates pentest and vulnerability data from various tools and scanners and effectively prioritizes risk.

The CVSS v3 Vulnerability Scoring System

Introducing CVSS v3.1, CVE, and CWE Improvements in PlexTrac

5 Efficiency-Driving Features in PlexTrac

Actionable Purple Teaming

The Cybersecurity Report: A Case for a Dynamic Deliverable

10 Tips for Cutting Pentest Reporting Time in Half

Facing the Reality of Risk Prioritization

Reduce Risk Faster

Unlocking Continuous Threat Exposure Management: New Features for Prioritizing Remediation Based on Business Impact