🛡️ Methodology Checklist
- Identify Base Score components: AV, AC, PR, UI, S, C, I, A
- Apply Temporal modifiers: Exploit Code Maturity, Remediation Level, Report Confidence
- Apply Environmental modifiers for client-specific context
- Map CVSS score to severity: 0=None, 0.1-3.9=Low, 4.0-6.9=Med, 7.0-8.9=High, 9.0-10.0=Critical
- Use CVSS score to prioritise findings in report
- Do NOT use raw CVSS alone — contextualise with environment and exploitability
🎯 Operational Context
Think Dumber First: CVSS base score is a starting point, not the final answer. A 9.8 that requires LAN access is less impactful in context than a 7.5 that’s internet-exposed with no auth. Always annotate base score with your environmental context. For CPTS: Critical ≥9.0, High 7.0-8.9, Medium 4.0-6.9, Low 0.1-3.9, Informational 0.
When you land here: You have a finding to score. Work through the CVSS v3.1 metrics in order: Attack Vector → Complexity → Privileges Required → User Interaction → Scope → CIA impact. Use the NVD CVSS calculator at nvd.nist.gov/vuln-metrics/cvss/v3-calculator.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
| (No CLI commands — scoring reference) | |
| Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator | Calculate exact float scores |
🔬 Deep Dive & Workflow
Overview
CVSS is the industry standard for calculating vulnerability severity. Provides consistent scoring to prioritize remediation. Scanning tools (Nessus, OpenVAS) report these automatically.
Companion Model: DREAD (Microsoft) Rates risk 1-10 based on: Damage, Reproducibility, Exploitability, Affected Users, Discoverability.
Three Metric Groups
1. Base Metrics (Intrinsic — constant over time)
Exploitability:
| Metric | Description |
|---|---|
| Attack Vector | How accessed: Network, Adjacent, Local, Physical |
| Attack Complexity | Conditions beyond attacker’s control |
| Privileges Required | Access level needed before attack |
| User Interaction | Whether a user must participate |
Impact (CIA Triad):
| Metric | High | Low |
|---|---|---|
| Confidentiality | Steal passwords/keys | Access non-vital info |
| Integrity | Modify crucial business files | Non-critical file modification |
| Availability | Environment completely unavailable | Partial denial of access |
2. Temporal Metrics (Change over time)
| Metric | Values |
|---|---|
| Exploit Code Maturity | High (reliable/automated), Functional, PoC, Unproven |
| Remediation Level | Official Fix, Temporary Fix, Workaround, Unavailable |
| Report Confidence | Confirmed, Reasonable |
3. Environmental Metrics (Organization-specific) Adjusts Base CIA impact based on how critical the affected system is to the organization.
Quick Scoring Reference (Exam)
| Scenario | CVSS Implications |
|---|---|
| RCE via network | High C/I/A + Network AV = Critical/High |
| XSS | Requires User Interaction (UI:R) |
| Authenticated RCE | Privileges Required (PR) ≠ None |
| Local PrivEsc | Attack Vector = Local |
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| CVSS score conflicts between scanners | Different CVSS versions (v2/v3/v3.1) | Always use CVSSv3.1 (current standard); note version in report; v2 scores are not comparable to v3 |
| Score seems too high for actual impact in the environment | Base score not adjusted for environment | Apply Environmental Score metrics (CR/IR/AR); document adjusted score alongside base score |
| Client disputes severity rating | Different risk tolerance or business context | Walk through each metric with client; agree on values; document consensus in report; offer rescoring with Environmental metrics |
| Finding has high business impact but low CVSS score | CVSS doesn’t capture all risks | Supplement CVSS with narrative business risk explanation; note data sensitivity, regulatory context |
| Two findings seem equally severe but CVSS differs significantly | Different attack vectors or complexity | CVSS is objective; explain metric differences; client perception may differ from technical reality |
📝 Reporting Trigger
Finding Title: (CVSS is a scoring methodology — apply it to all individual findings. Document the CVSS v3.1 vector string alongside the numeric score: e.g., CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8 Critical. Include both Base and Environmental scores in client-facing reports.)