What three metrics are used to determine CVSS rankings?

The CVSS (Common Vulnerability Scoring System) uses three specific metrics to evaluate the severity of vulnerabilities: Base, Temporal, and Environmental.

The Base metric captures the intrinsic characteristics of a vulnerability that are constant over time and across user environments. It includes aspects such as the exploitability of the vulnerability and the impact it may have on confidentiality, integrity, and availability.

The Temporal metric reflects the characteristics of a vulnerability that change over time but can be affected by the availability of patches or the existence of exploit code. This metric helps assess how the changing nature of the environment and available defenses can impact the urgency and seriousness of the vulnerability.

The Environmental metric captures the characteristics that are specific to a particular user's environment. This allows for a more tailored approach to scoring vulnerabilities based on factors such as the information the system handles, the presence of mitigation controls, and the potential impact on the organization based on its unique environment.

The combination of these three metrics allows organizations to assess vulnerabilities comprehensively, taking into account both the inherent nature of the vulnerability and the context in which it exists. This structured approach ensures a more accurate and relevant assessment of risk associated with security vulnerabilities.