The Six Metrics for a CVSS Score

The Tip of the Night for January 23, 2020 referred to NIST's Common Vulnerability Scoring System for evaluating how serious a flaw in a cybersecurity system is. A vulnerability can be assigned a score from 0 to 10 under the system, which uses six metrics to assess the severity of a flaw:

  1. ACCESS - access to a local account will only result in a score of 0.395. Network level access is graded a 1.0.

  2. ACCESS COMPLEXITY - this measures how difficult it is to exploit the vulnerability. If it can be used without the need for social engineering, the score will be higher.

  3. AUTHENTICATION - if the exploit requires the attacker to authenticate more than two times, the score will be lower.

  4. CONFIDENTIALITY - depending on the scope of data disclosed, the score may be higher.

  5. INTEGRITY - if the attacker can modify data at will a score of 0.660 will be given.

  6. AVAILABILITY - an attack that lowers the performance of the system will result in a higher score.