DRAFT CVSS v2.10
Equations (last revised 3-20-07)
CVSS Base
Score Equation
BaseScore = (.6*Impact +.4*Exploitability-1.5)*f(Impact)
Impact = 10.41*(1-(1-ConfImpact)(1-IntegImpact)*(1-AvailImpact))
Exploitability = 20*AccessComplexity*Authentication*AccessVector
f(Impact) = 0 if Impact=0; 1.176 otherwise
AccessComplexity = case AccessComplexity of
high: 0.35
medium: 0.61
low: 0.71
Authentication = case Authentication of
Requires no authentication: 0.704
Requires single instance of authentication: 0.56
Requires multiple instances of authentication: 0.45
AccessVector = case AccessVector of
Requires local access: .395
Local Network accessible: .646
Network accessible: 1
ConfImpact = case ConfidentialityImpact of
none: 0
partial: 0.275
complete: 0.660
IntegImpact = case IntegrityImpact of
none: 0
partial: 0.275
complete: 0.660
AvailImpact = case AvailabilityImpact of
none: 0
partial: 0.275
complete: 0.660
CVSS Temporal Equation
TemporalScore=BaseScore*Exploitability*RemediationLevel*ReportConfidence
Exploitability = case Exploitability of
unproven: 0.85
proof-of-concept: 0.9
functional: 0.95
high: 1.00
not defined 1.00
RemediationLevel = case RemediationLevel of
official-fix: 0.87
temporary-fix: 0.90
workaround: 0.95
unavailable: 1.00
not defined 1.00
ReportConfidence = case ReportConfidence of
unconfirmed: 0.90
uncorroborated: 0.95
confirmed: 1.00
not defined 1.00
CVSS Environmental Equation
EnvironmentalScore=(AdjustedTemporal+
(10-AdjustedTemporal)*CollateralDamagePotential) * TargetDistribution
AdjustedTemporal = TemporalScore recomputed with the Impact sub-equation replaced with the following AdjustedImpact equation.
AdjustedImpact = Min(10, 10.41*(1-(1-ConfImpact*ConfReq)*(1-IntegImpact*IntegReq)*(1-AvailImpact*AvailReq)))
CollateralDamagePotential = case CollateralDamagePotential of
none: 0
low: 0.1
low-medium: 0.3
medium-high: 0.4
high: 0.5
not defined: 0
TargetDistribution = case TargetDistribution of
none: 0
low: 0.25
medium: 0.75
high: 1.00
not defined: 1.00
ConfReq = case ConfidentialityImpact of
Low: 0.5
Medium: 1
High: 1.51
Not defined 1
IntegReq = case IntegrityImpact of
Low: 0.5
Medium: 1
High: 1.51
Not defined 1
AvailReq = case AvailabilityImpact of
Low: 0.5
Medium: 1
High: 1.51
Not defined 1