CVSS Scoring

Common Vulnerability Scoring System (CVSS) scores display in Archer from multiple data sources. Archer captures 4 different CVSS scores:

  • Base Score
  • Temporal Score
  • Environmental Score
  • Overall Score

CVSS v2 and v3.1 Scoring Methodologies

By default, newly ingested data is scored using the CVSS v3.1 scoring methodology. Calculated logic is used to analyze the data and determine the scoring methodology. If sufficient v3.1 data is present, the system produces a v3.1 score. If there is not sufficient v3.1 data, the score defaults to either v2.0 or null, depending on the data available. These scores are updated over time as data feeds regularly run and ingest new data.

In the Vulnerability Library application, the CVSS Scoring Methodology field enables you to choose between the v2.0 and v3.1 scoring. This scoring rolls up to Vulnerability Scan Results records.

Note: The v3.1 scoring methodology is used by default. If you want to change the default to use v2.0, you can edit the individual value in Application Builder. Changing the default value only affects new content. You can update existing content through Data Import or Bulk Update.

The following table shows how each score is determined in a Vulnerability Scan Results record.

CVSS Score

Source Application

Notes

Base Score

Vulnerability Library

The Base score is linked from the associated Vulnerability Library record.

Temporal Score

Vulnerability Library

The Temporal score is linked from the associated Vulnerability Library record.

The severity is based on the following:

  • Temporal Score (if it exists)
  • Base Score (if it exists)

If none of these scores exist, the Temporal Score is listed as Not Started.

Environmental Score

Devices

The Environmental score is pulled from the associated device, and is a combination of the adjusted Base and Temporal scores.

Overall Score

Vulnerability Library, Devices

The severity is based on the following:

  • Environmental Score (if it exists)
  • Temporal Score (if it exists)
  • Base Score (if it exists)

If none of these scores exist, the Overall Score is listed as Not Started.

For resources and documentation on the CVSS versions, see the Forum of Incident Response and Security Teams (FIRST) website at https://www.first.org/cvss/.