Description of vulnerabilities’ score in Cyberwatch

In Cyberwatch, vulnerabilities are affected a score that defines their severity. The following scores are used in Cyberwatch:

  • the CVSS V3 score;
  • the CVSS V2 score;
  • the Custom score.

The score used and displayed by default in Cyberwatch is the CVSS V3.

It is possible to choose the score used and displayed in the settings Administration > Customization > Vulnerabilities.

CVSS scoring

The CVSS (Common Vulnerability Scoring System) score is an international scoring system used to assess the criticality of vulnerabilities based on impartial and measurable criteria.

The assessment is made out of three metrics:

  • the Base Score: defines the basic and intrinsic characteristics of a vulnerability, not linked to a temporal or environmental context;
  • the Temporal Score: defines temporal characteristics of a vulnerability which can change over time (new fixes available, new exploits published…);
  • the Environmental Score: defines characteristics of a vulnerability based on its environment (asset or user concerned for example) and the consequences that could result from its exploitation.

These metrics are made of several criteria impacting the CVSS scoring. When no sufficient data is available to fulfill the value of criteria in the Temporal Score and/or the Environmental Score, these values are set to “Not defined”. “Not defined” criteria impact the CVSS scoring the same way that if they were set to the highest value.

The FIRST website gives access to the official CVSS V3.1 calculator used by the NVD and other organizations to assign published vulnerabilities a score.

CVSS V2

CVSS V2 stands for version 2 of the CVSS score. It is the former official score used as an international reference.

CVSS V3

CVSS V3 stands for version 3 of the CVSS score. It is now the official scoring system reference globally used.

It became the official reference instead of the CVSS V2 in December 2015. This new CVSS version brings multiple changes to the scoring system, particularly to reflect more accurately vulnerabilities of the web application domain.

Exploit Code Maturity

Ease of use and level of testing of exploits generally depend on the databases that publish these exploits. This is identified by the Exploit Code Maturity in Cyberwatch.

Therefore, for a given vulnerability:

  • if no exploit is available, the exploit code maturity will be set as Unproven
  • if exactly one exploit is given by the NVD and/or at least one exploit is found on GitHub, the exploit code maturity will be set as Proof of Concept;
  • if multiple exploits are given by the NVD and/or at least one exploit is present on SecurityFocus or Exploit-DB, the exploit code maturity will be set as Functional;
  • if at least one exploit is available on Metasploit, the exploit code maturity will be set as High.

The Exploit Code Maturity defined this way is then used to update the “Exploit Code Maturity” value of the official CVSS V3 score to replace the “Not defined” value in this case.

This metric can be updated through the CVE’s edition panel.

Custom Score

The Custom Score offers the possibility to update metrics defining the base CVSS score. It is possible to update the eight following criteria:

  • Access Vector;
  • Attack Complexity;
  • Privileges Required;
  • User Interaction;
  • Scope;
  • Confidentiality;
  • Integrity;
  • Availability.

Modifying any of these criteria will update the final score to stay compliant regarding the formula used by the FIRST to evaluate the CVSS V3 score. The value of the score can also be updated without modifying these criteria.