CVSS Scoring

The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of finding vulnerabilities. A CVSS score value is a derived from scores in three metrics groups (base, temporal and environmental) that cover the different characteristics of a vulnerability, including its impact and environmental endurance over time.
When creating or editing a finding, PlexTrac provides the ability to enter or modify scores.
CVSS is owned by FIRST and used by permission. This calculator is based on the official FIRST CVSS documentation.

Entering a Findings Score

Step 1: Select the applicable standard from the Score type pulldown menu (information specifically on CVSS v3.1 is located further below). If not using CVSS, select "General."
Step 2: Enter a value in the Label field.
Step 3: Enter the numerical score in the Value field.
Step 4: Enter the vector value in the Calculation field.
In the Finding Detail page, the score information now is displayed.
CVSS 3.1 scores can also be viewed on the Findings tab for for a client in the Clients module.

CVSS v3.1 Calculator

PlexTrac has its own internal CVSS v3.1 calculator that generates a CVSS score based on input values. It also generates a CVSS vector and assigns severity to a finding based on the information selected and calculated score.
Users can generate a value either by clicking through the provided calculator, typing in a vector, or through a combination of both actions.

Entering a Score Directly

Currently the calculator only supports CVSS v3.1, and the button for the calculator will not show if any option besides "CVSS v3.1" is selected for Score type.
If the CVSS v3.1 score is already known, it can be entered in the "Score" field and the finding's severity will update to match the score.
If the value in the Severity field is manually changed at any point after a CVSSv3.1 score has been entered or created, a warning message will appear:

Entering a Vector Directly

A user is able to input a valid CVSS vector into the Vector field. Changes to this field will be reflected in the selected calculator fields.

Using the Calculator

Step 1: With a Score type value of "CVSS v3.1," click Calculate Score.
Step 2: Select the applicable values by clicking the desired values in the fields provided.
After all the fields are selected, both a severity score, severity value, and vector value are populated. Values in multiple fields are validated to ensure the score and severity is accurate. This is done via the vector string and vector record. The vector string and vector record must be kept in sync with one another.
Whenever a field is clicked within the calculator, the vector record string is updated. However, the string only displays if valid, so all base values must be selected before the string will show and option to save provided
When the vector string has changed, validity of the string is then validated. If the string is valid, the record updates and the selected values are updated in the calculator modal.
If not, a warning message is displayed and Save is disabled.
Step 4: For more advanced scoring options, expand "Show temporal and environmental scoring."
Step 5: When finished, click Save. The information is populated in the appropriate fields of the finding and viewable on the Finding Detail page.

Editing Existing Scores

If the calculator is being used to overwrite a previous value, a warning modal will appear for the user.
Click Next below to learn about importing a report.
© 2022 PlexTrac, Inc. All rights reserved.