DRAFT CVSS v2.10
Equations (last revised 3-20-07)
CVSS Base
Score Equation
BaseScore = (.6*Impact +.4*Exploitability-1.5)*f(Impact)
Impact = 10.41*(1-(1-ConfImpact)(1-IntegImpact)*(1-AvailImpact))
Exploitability = 20*AccessComplexity*Authentication*AccessVector
f(Impact) = 0 if Impact=0; 1.176 otherwise
AccessComplexity = case AccessComplexity of
high: 0.35
medium: 0.61
low: 0.71
Authentication = case Authentication of
Requires no authentication: 0.704
Requires single instance of authentication: 0.56
Requires multiple instances of authentication: 0.45
AccessVector = case AccessVector of
Requires local access: .395
Local Network accessible: .646
Network accessible: 1
ConfImpact = case ConfidentialityImpact of
none: 0
partial: 0.275
complete: 0.660
IntegImpact = case IntegrityImpact of
none: 0
partial: 0.275
complete: 0.660
AvailImpact = case AvailabilityImpact of
none: 0
partial: 0.275
complete: 0.660
CVSS Temporal Equation
TemporalScore=BaseScore*Exploitability*RemediationLevel*ReportConfidence
Exploitability = case Exploitability of unproven: 0.85 proof-of-concept: 0.9 functional: 0.95 high: 1.00 not defined 1.00 RemediationLevel = case RemediationLevel of official-fix: 0.87 temporary-fix: 0.90 workaround: 0.95 unavailable: 1.00 not defined 1.00 ReportConfidence = case ReportConfidence of unconfirmed: 0.90 uncorroborated: 0.95 confirmed: 1.00 not defined 1.00
CVSS Environmental Equation
EnvironmentalScore=(AdjustedTemporal+
(10-AdjustedTemporal)*CollateralDamagePotential) * TargetDistribution
AdjustedTemporal = TemporalScore recomputed with the Impact sub-equation replaced with the following AdjustedImpact equation. AdjustedImpact = Min(10, 10.41*(1-(1-ConfImpact*ConfReq)*(1-IntegImpact*IntegReq)*(1-AvailImpact*AvailReq)))
CollateralDamagePotential = case CollateralDamagePotential of none: 0 low: 0.1 low-medium: 0.3
medium-high: 0.4
high: 0.5 not defined: 0 TargetDistribution = case TargetDistribution of none: 0 low: 0.25 medium: 0.75 high: 1.00 not defined: 1.00
ConfReq = case ConfidentialityImpact of
Low: 0.5
Medium: 1
High: 1.51
Not defined 1
IntegReq = case IntegrityImpact of
Low: 0.5
Medium: 1
High: 1.51
Not defined 1
AvailReq = case AvailabilityImpact of
Low: 0.5
Medium: 1
High: 1.51
Not defined 1