0

What is the difference between the exploitability score and the exploitability sub-score? And the difference between the impact score and the impact sub-score?

What are the relationships between the respective scores and sub-scores?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Derek Huang
  • 1
  • Again, this is all explained in the specification document. It's in section 1.2. Can you explain where your confusion lies? The specification document takes you through the whole process rather painstakingly. Any answer will just be quotes from the document unless you can explain what about the document is confusing. – schroeder Apr 06 '22 at 08:14
  • Apparently the exploitability sub-score equation is derived from base exploitability metrics, but then when I used ctrl-f to find the base exploitability metrics table, which I could not actually find, 'base exploitability metrics' only comes up once and that is under 1.2, where I do not see an equation for the exploitability sub-score. – Derek Huang Apr 06 '22 at 10:36
  • Just read the document. Don't "keyword" search the text hoping for a spoon-fed, re-packaged mini-answer that is provided by the whole of the document. – schroeder Apr 06 '22 at 10:49
  • Your question here is asking about the difference between the scores. Your comment is about the formula. Those are 2 different things. – schroeder Apr 06 '22 at 10:52

1 Answers1

-1

Impact: The impact sub-score represents metrics for confidentiality impact, integrity impact, and the availability impact of a successfully exploited vulnerability.

Exploitability: The exploitability sub-score represents metrics for Access Vector, Access Complexity, and Authentication, and measures how the vulnerability is accessed, the complexity of the attack, and the number of times an attacker must authenticate to successfully exploit a vulnerability.

Source:- https://www.ibm.com/docs/en/qradar-on-cloud?topic=vulnerabilities-common-vulnerability-scoring-system-cvss

Subscore is calculated after the successful exploitation of the vulnerability

This score we can drill down in detailed

Access Vector, Access Complexity

  • Whether the application or system is exposed to the internet? or does it require any special access such as the VPN or intranet?

  • After reaching the system, does it require to access any sub-endpoint or DMZ-jumping kind of activity?

  • Number of times an attacker must authenticate

schroeder
  • 123,438
  • 55
  • 284
  • 319
Security Beast
  • 117
  • 3
  • You have misread the document. Subscore is not calculated after a successful exploit. And you have not explained the difference between the score and the sub-score as requested by the OP. – schroeder Apr 06 '22 at 09:48