Temporal CVSS Scores

Pallavi Vishwakarma
July 2, 2023

What is CVSS Score?

The common vulnerability scoring system (CVSS) is a way to assign scores to vulnerabilities on the basis of their principal characteristics. This score indicates the severity of a vulnerability. On that basis, it can be categorized into low, medium, high, and critical severity which the organization can use to prioritize the vulnerabilities present in the system.

The CVSS score ranges from 0.0 to 10.0, where 1.0 is considered as least severe and 10.0 is the most severe. A CVSS score is derived from three sets of metrics Base, Terminal, and Environmental. These three metrics cover the different characteristics of a vulnerability, its impact, and environmental tolerance over time.

CVSS Score Metrics

The Base metric group represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments - therefore they remain constant throughout the lifetime of the vulnerability.

The Environmental metric group represents the characteristics of a vulnerability that are relevant and unique to a particular user’s environment. These metrics include a system's relative importance within a technology infrastructure and the existence of security safeguards that could reduce some or all of the effects of a successful attack.

The Temporal metric group reflects the characteristics of a vulnerability that may change over time but not across user environments. These metrics are occasionally, but not usually, reported in the NVD. For instance, the presence of an easy-to-use exploit kit would raise the CVSS score, whereas the presence and widespread use of an official patch would lower it. Therefore, the temporal score affects the CVSS score the most.

CVSS Temporal Metrics

The Temporal metrics assess the present condition of exploit methods or available code, the presence of any patches or workarounds, or the level of assurance in the description of a vulnerability.

This metric group includes three metrics - Exploit Code Maturity, Remediation Level, and Report confidence.

1. Exploit Code Maturity (E)

This metric assesses the possibility of an attack on the vulnerability and is frequently based on the development of exploit techniques, the accessibility of exploit code, or active, "in-the-wild" exploitation.

There are five levels of maturity for exploit code:

  1. Not Defined (X) - It indicates there is not enough information to choose other levels and therefore has no impact on the overall temporal score.
  2. High (H) - Functional exploit code exists and is widely available, reliable, and easy to use. 
  3. Functional (F) - Functional exploit code exists but is not that reliable.
  4. Proof-of-Concept (P) - Exploit cod exists but is not that reliable and only highly skilled attackers can use it successfully.
  5. Unproven (U) - When exploit code is only theoretical.

2. Remediation Level (RL)

It ranks the ease that an exploit can be remediated. The less official and permanent a fix, the higher the vulnerability score.

There are five levels of Remediation Level:

  1. Not Defined (X) - It indicates that there is not enough information to choose other levels and therefore has no impact on the overall temporal score.
  2. Unavailable (U) - There is no possible solution or patch available for the vulnerability.
  3. Workaround (W) - There is an unofficial Patch available or the affected technology has some steps to mitigate the impact of the vulnerability.
  4. Temporary Fix (T) - There is a temporary fix available by the vendor.
  5. Official Fix (O) - Official patch is available or an upgrade is provided by the vendor.

3. Report Confidence (RC)

This metric assesses the level of confidence in the vulnerability's existence and the reliability of the available technical information. For instance, if the vulnerability is acknowledged by the vendor of the affected technology then there is a high chance that the vulnerability is real.

There are five levels of Report Confidence:

  1. Not Defined (X) - It indicates there is not enough information to choose other levels and therefore has no impact on the overall temporal score.
  2. Confirmed (C) - Either the vendor confirmed that the vulnerability exists or a detailed report exists with the source code to confirm the vulnerability.
  3. Reasonable (R) - Details are being published but do not have full confidence in the root cause and don't have access to the source code to properly verify all of the interactions that might have occurred to produce the outcome.
  4. Unknown (U) - There are reports that indicate vulnerability exists but the cause of the vulnerability is known and reports are uncertain in nature.

SecOps Solution is an award-winning agent-less Full-stack Vulnerability and Patch Management Platform that helps organizations identify, prioritize and remediate security vulnerabilities and misconfigurations in seconds.

To schedule a demo, just pick a slot that is most convenient for you.

Related Blogs