Managing CVSS Scores

The Common Vulnerability Scoring System (CVSS) provides a way for you to rate the severity of the vulnerabilities discovered in your application. It calculates a score using base metrics to help you determine the priority level for a reported vulnerability. Crowdcontrol includes a CVSS V3 Calculator that you can use to generate a score using base metrics, which represent the most intrinsic characteristics of a vulnerability.

• Enabling the CVSS Calculator
• Adding a CVSS Score

Base metrics measure the impact and exploitability of a vulnerability, which include the attack vector (AV), attack complexity (AC), privileges required (PR), user interaction (UI), scope (S), confidentiality impact (C), integrity impact (I), and availability impact (A).

To learn more about the base metrics, see https://www.first.org/cvss/calculator/3.0.

Enabling the CVSS Calculator

To enable the CVSS V3 Calculator:

1. Go to Settings.

   

2. Go to the Additional Fields tab.

   

3. Find the Common Vulnerability Scoring System v3 Calculator option and turn it on.

   

   The button turns blue when you enable the option.

   

   After you enable the calculator, you can go to any submission to add a CVSS score.

Adding a CVSS Score

CVSS scores can be added to any submission using the calculator.

To add a CVSS score to a submission:

1. Find the CVSS Base v3.0 field.

   

2. Click the Edit icon next to the field.

3. When the calculator appears, specify the values for each metric. To learn more about the metrics and what they measure, go to https://www.first.org/cvss/calculator/3.0.

   

4. Save your changes.

   After you save your changes, the CVSS score is added to the submission, along with the values you assigned to each metric.

   The CVSS score is not visible to researchers. You can edit the field as needed.

---