This preview shows page 1. Sign up to view the full content.
Unformatted text preview: bile autonomous code, or no exploit is
required (manual trigger) and details are widely available. The code works in every situation,
or is actively being delivered via a mobile autonomous agent (such as a worm or virus). Not Defined (ND) Assigning this value to the metric will not influence the score. It is a signal to the equation to
skip this metric. 2.2.2 Remediation Level (RL) The remediation level of a vulnerability is an important factor for prioritization. The typical vulnerability
is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an
official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards,
reflecting the decreasing urgency as remediation becomes final. The possible values for this metric are
listed in Table 8. The less official and permanent a fix, the higher the vulnerability score is.
Table 8. Remediation Level Scoring Evaluation
Metric Value Description Official Fix (OF) A complete vendor solution is available. Either the vendor has issued an official patch, or an
upgrade is available. Temporary Fix
(TF) There is an official but temporary fix available. This includes instances where the vendor
issues a temporary hotfix, tool, or workaround. Workaround (W) There is an unofficial, non-vendor solution available. In some cases, users of the affected
technology will create a patch of their own or provide steps to work around or otherwise
mitigate the vulnerability. Unavailable (U) There is either no solution available or it is impossible to apply. Not Defined (ND) Assigning this value to the metric will not influence the score. It is a signal to the equation to
skip this metric. 2.2.3 Report Confidence (RC) This metric measures the degree of confidence in the existence of the vulnerability and the credibility of
the known technical details. Sometimes, only the existence of vulnerabilities are publicized, but without
specific details. The vulnerability may later be corroborated and then confirmed through
acknowledgement by the author or vendor of the affected technology. The urgency of a vulnerability is
higher when a vulnerability is known to exist with certainty. This metric also suggests the level of
technical knowledge available to would-be attackers. The possible values for this metric are listed in
Table 9. The more a vulnerability is validated by the vendor or other reputable sources, the higher the
score. 9 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS Table 9. Report Confidence Scoring Evaluation
Metric Value Description Unconfirmed
(UC) There is a single unconfirmed source or possibly multiple conflicting reports. There is little
confidence in the validity of the reports. An example is a rumor that surfaces from the hacker
(UR) There are multiple non-official sources, possibly including independent security companies or
research organizations. At this point there may be conflicting technical details or some other
lingering ambiguity. Con...
View Full Document
This document was uploaded on 03/19/2014 for the course IS 4799 at ITT Tech Flint.
- Spring '14