Vulnerability Rating

One min read - 169 words


Estimating the risk of a vulnerability to the business is quite important. Generally, risk is based on the likelihood of an event happening and the potential impact. Technical risk does not necessarily correspond to business risk. Consequently, different risk rating methodologies for vulnerabilities exist.

The OWASP Risk Rating Methodology utilizes the likelihood and impact metrics. Based on a risk matrix a risk rating can be assigned to a vulnerability.

Another more formal rating methodology exists with Common Vulnerability Scoring System (CVSS). The attributes of a vulnerability are incorporated to calculate a Base Score between 0 to 10. CVSSv3 optionally includes Temporal Score and Environmental Score. The Temporal Score incorporates factors that change over time, such as availability of exploit code. The Environmental Score would blend in system specific aspects, for example presence of mitigation.

For vulnerabilities reported by static code analysis tools the Common Weakness Enumeration (CWE) can provide guidance. static code analysis.

Additional Resources