Show CVSS score on vulnerability pages
Problem to solve
Organizations with more mature security processes as well as many in highly regulated industries (e.g. finance, insurance, healthcare) require more than simple severity level to drive their vulnerability management process. While severity is one aspect, such organizations require a risk-based system of classification so they can most appropriately assess the potential negative impact to their business. While it is only a severity classification system, a first step in moving towards offering a risk-based triage and evaluation process will be a standard system for quantifying severity.
User experience goal
Users will see a new, standardized severity scoring system that underpins the current severity classification system (Critical, High, Medium, Low, Unknown). Visibility of severity score will be prominent on the vulnerability pages. Users will be able to see details of how how the severity score is calculated.
We will show the CVSSv3 score on each vulnerability page in addition to the severity level. We see if it is feasible to also show the details of how the score was computed (https://www.first.org/cvss/calculator/3.1).
Not all scanners will provide a CVSSv3 score so we will need to account for this behavior. Tentative proposal is to make the score a maximum (10) and provide a separate visual indication that this is assigned because the real score is unknown. This is in line with many competitive vulnerability management/assessment offerings.
Permissions and Security
Users must have permission to view a vulnerability page.