Managing CVSS Scores

The Common Vulnerability Scoring System (CVSS) provides a way for you to rate the severity of the vulnerabilities discovered in your application. It calculates a score using base metrics to help you determine the priority level for a reported vulnerability. Crowdcontrol includes a CVSS V3.1 Calculator that you can use to generate a score using base metrics, which represent the most intrinsic characteristics of a vulnerability.

Base metrics measure the impact and exploitability of a vulnerability, which include the attack vector (AV), attack complexity (AC), privileges required (PR), user interaction (UI), scope (S), confidentiality impact (C), integrity impact (I), and availability impact (A).

To learn more about the base metrics, see https://www.first.org/cvss/calculator/3.1.

Enabling the CVSS Calculator

To enable the CVSS calculator:

  1. Select the required program and go to Settings.

    settings

  2. Click the Submissions tab.

    submissions-tab

  3. In the CVSSv3.1 section, move the slider to right for the Common Vulnerability Scoring System v3.1 Calculator option.

    cvss-enabler-slider

    The “Enabled CVSS Calculation” message is displayed.

    After you enable the calculator, you can go to any submission to add a CVSS score.

Adding a CVSS Score

CVSS scores can be added to any submission using the calculator.

The CVSS score is not visible to researchers.

To add a CVSS score to a submission:

  1. Within a submission, go to CVSS Base v3.1 section and click the Edit icon.

    cvss-edit

  2. When the calculator appears, specify the values for each metric. Use the scroll bar to scroll down and specify different metrics. To learn more about the metrics, go to https://www.first.org/cvss/calculator/3.1.

    cvss-base

  3. Click Save to save your changes.

    After you save your changes, the CVSS score is added to the submission along with the values you have assigned for each metric.


Onboarding
Account Management
Security Program Management
Engagement Management
Reporting
Submission Management
Integration Management