This preview shows page 1. Sign up to view the full content.
Unformatted text preview: ulnerability score. Vectors are further explained in Section 2.4. 2 3 4 Certain commercial equipment, instruments, or materials are identified in this paper in order to adequately specify and
describe the use of CVSS. Such identification is not intended to imply recommendation or endorsement by the National
Institute of Standards and Technology, nor is it intended to imply that the materials, instruments, or equipment identified are
necessarily the best available for the purpose.
See http://www.dhs.gov/xinfoshare/programs/Copy_of_press_release_0046.shtm and http://isc.sans.org/.
See http://cve.mitre.org/ , http://cwe.mitre.org/index.html, and http://cwe.mitre.org/about/process.html. 2 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS 10
f(x1, x2, … xn)
Base Metrics f(y1, y2, … yn) f(z1, z2, … zn) Exploitability
Optional Figure 2. CVSS Metrics and Equations Optionally, the base score can be refined by assigning values to the temporal and environmental metrics.
This is useful in order to provide additional context for a vulnerability by more accurately reflecting the
risk posed by the vulnerability to a user’s environment. However, this is not required. Depending on
one’s purpose, the base score and vector may be sufficient.
If a temporal score is needed, the temporal equation will combine the temporal metrics with the base
score to produce a temporal score ranging from 0 to 10. Similarly, if an environmental score is needed,
the environmental equation will combine the environmental metrics with the temporal score to produce an
environmental score ranging from 0 to 10. Base, temporal and environmental equations are fully
described in Section 3.2.
1.4 Who Performs the Scoring? Generally, the base and temporal metrics are specified by vulnerability bulletin analysts, security product
vendors, or application vendors because they typically have better information about the characteristics of
a vulnerability than do users. However, CVSS was designed to make it easy for users to check a vendor’s
calculations if desired. The environmental metrics are specified by users because users are best able to
assess the potential impact of a vulnerability within their own environments.
Environmental metrics, in particular the impact subscore modifiers, have a direct correlation to the
security categories and ratings defined in FIPS 199. Section 4 of this document provides details on how
agencies can use FIPS 199 to achieve accurate and compliant results when determining values for the
1.5 Who Owns CVSS? CVSS is under the custodial care of the Forum of Incident Response and Security Teams (FIRST). 5
However, it is a completely free and open standard. No organization “owns” CVSS and membership in
FIRST is not required to use or implement CVSS. FIRST’s only request is that those organizations who...
View Full Document
This document was uploaded on 03/19/2014 for the course IS 4799 at ITT Tech Flint.
- Spring '14