DRAFT CVSS v2.10 Equations (last revised 3-20-07)

CVSS Base Score Equation

BaseScore = (.6*Impact +.4*Exploitability-1.5)*f(Impact)
Impact = 10.41 * (1 - (1 - ConfImpact) * (1 - IntegImpact) * (1 - AvailImpact))

Exploitability = 20 * AccessComplexity * Authentication * AccessVector

f(Impact) = 0 if Impact=0; 1.176 otherwise
AccessComplexity = case AccessComplexity of
                        high:   0.35
                        medium: 0.61
                        low:    0.71
Authentication   = case Authentication of
                        Requires no authentication:                    0.704
                        Requires single instance of authentication:    0.56
                        Requires multiple instances of authentication: 0.45
AccessVector     = case AccessVector of
                        Requires local access:    0.395
                        Local Network accessible: 0.646
                        Network accessible:       1
ConfImpact       = case ConfidentialityImpact of
                        none:             0
                        partial:          0.275
                        complete:         0.660
IntegImpact      = case IntegrityImpact of
                        none:             0
                        partial:          0.275
                        complete:         0.660
AvailImpact      = case AvailabilityImpact of
                        none:             0
                        partial:          0.275
                        complete:         0.660
CVSS Temporal Equation
TemporalScore = BaseScore 
              * Exploitability 
              * RemediationLevel 
              * ReportConfidence
Exploitability   = case Exploitability of
                        unproven:             0.85
                        proof-of-concept:     0.9
                        functional:           0.95
                        high:                 1.00
                        not defined           1.00
RemediationLevel = case RemediationLevel of
                        official-fix:         0.87
                        temporary-fix:        0.90
                        workaround:           0.95
                        unavailable:          1.00
                        not defined           1.00
ReportConfidence = case ReportConfidence of
                        unconfirmed:          0.90
                        uncorroborated:       0.95      
                        confirmed:            1.00
                        not defined           1.00
CVSS Environmental Equation
EnvironmentalScore = (AdjustedTemporal 
                        + (10 - AdjustedTemporal) 
                        * CollateralDamagePotential) 
                     * TargetDistribution
AdjustedTemporal = TemporalScore recomputed with the Impact sub-equation 
                   replaced with the following AdjustedImpact equation.
AdjustedImpact = Min(10, 
                     10.41 * (1 - 
                                (1 - ConfImpact * ConfReq) 
                              * (1 - IntegImpact * IntegReq) 
                              * (1 - AvailImpact * AvailReq)))
CollateralDamagePotential = case CollateralDamagePotential of
                                 none:            0
                                 low:             0.1
                                 low-medium:      0.3   
                                 medium-high:     0.4
                                 high:            0.5      
                                 not defined:     0
TargetDistribution        = case TargetDistribution of
                                 none:            0
                                 low:             0.25
                                 medium:          0.75
                                 high:            1.00
                                 not defined:     1.00
ConfReq       = case ConfidentialityImpact of
                        Low:              0.5
                        Medium:           1
                        High:             1.51
                        Not defined       1
IntegReq      = case IntegrityImpact of
                        Low:              0.5
                        Medium:           1
                        High:             1.51
                        Not defined       1
AvailReq      = case AvailabilityImpact of
                        Low:              0.5
                        Medium:           1
                        High:             1.51
                        Not defined       1

NVD CVSS Overall Score Decision Tree

The CVSS Overall Score is part of the NVD and is not part of the CVSS standard.

    (Calculate OverallScore)
	<BaseScore Defined?> ----No----> [OverallScore = "Not Defined"] -------------
                |                                                                   |
                |                                                                   |
               Yes                                                                  |
                |                                                                   |
                |                                                                   |
                \/                                                                  |
    [OverallScore = BaseScore]                                                      |
                |                                                                   |
                |                                                                   |
                \/                                                                  |
     <EnvironmentalScore Defined?> --Yes--> [OverallScore = EnvironmentalScore] ----|
                |                                                                   |
                |                                                                   |
                No                                                                  |
                |                                                                   |
                |                                                                   |
                \/                                                                  |
        <TemporalScore Defined?> ---Yes---> [OverallScore = TemporalScore] ---------|
                |                                                                   |
                |                                                                   |
                No                                                                  |
                |                                                                   |
                |                                                                   |
                \/                                                                  |
       (Return OverallScore) <-------------------------------------------------------