Vulnerabilities – Risk Scoring

Overview

CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity. This method ensures that all parties involved can easily comprehend the severity of a vulnerability, facilitating better collaboration and decision-making. The CVSS is an open standard, and its development involves contributions from a wide range of cybersecurity experts and organizations.

How does Mend provide CVSS scoring?

We use various data sources to provide the CVSS score. We use a proprietary algorithm to decide which of them has the highest relevance.

Our algorithm also provides CVSS 4.0 vectors for vulnerabilities not covered by NVD yet.

The max-supported CVSS scoring version is configurable in the Mend Platform settings, and changes applied there are reflected in Repo Integration and the CLI.

Example 1

Organization setting: CVSS 4.0

If CVSS 4.0 for a given vulnerability is available, we present CVSS 4.0. Otherwise, we fall back to CVSS 3.1, 3.0, or 2.0.

Example 2

Organization setting: CVSS 3.1

If CVSS 3.1 for a given vulnerability is available, we present CVSS 3.1. Otherwise, we fall back to CVSS 3.0 or 2.0. CVSS 4.0 is not shown, even if it is available.

CVSS 4.0*

CVSS 4.0 is the latest version of the Common Vulnerability Scoring System. CVSS 4.0 builds upon its predecessors by introducing several improvements to enhance its accuracy and relevance in the rapidly evolving cybersecurity landscape. Each new CVSS version brings enhancements and improvements better to capture the complexities of modern vulnerabilities and attack scenarios.

* Note: CVSS v4.0 is not available in Mend.io’s Core application

Reference

Mend supports the following types of risk scores:

• CVSS 2

• CVSS 3.0

• CVSS 3.1

• CVSS 4.0

• EPSS (Threat Assessment and Exploitability)

CVSS 4.0 vs. CVSS 3.1 Scoring Metric

Differences in Score Range