What is the "Exposure Assessment" score and how is it calculated in the vulnerability assessment reports
I can see scores given to hosts labelled as "Exposure Assessment" but I have been unable to find a definition of what that means in order to explain to clients.
Does anyone know what it is indicating or how it is calculated?
Cheers
-
Official comment
Matt -
I've got an answer for you! I do want to let you know that the Exposure Assessment score will be replaced with a new Threat Risk Index score when existing customers are transitioned to our new product offerings in the next several months. In the meantime, here's the Exposure Assessment score breakdown:
The Exposure Assessment score for a vulnerability is based on the CVSS 2.0 Base score. If the CVSS score is 0, the Exposure Assessment score is 0. When the CVSS Base score is greater than 0, the Exposure Assessment score is calculated by taking the cubed number of the CVSS 2.0 Base score, dividing by 100, and rounding to the nearest whole number. For example, if the vulnerability has a CVSS Base score of 7.5, the cubed value (7.5 x 7.5 x 7.5) is 421.875, and divided by 100 is 4.21875, which is finally rounded down for an Exposure Assessment score of 4.
If you have any other questions, please let me know and I'll be happy to help!
-
Matt -
Thanks for posting - this is a fantastic question. I'm going to track the answer down for you and report back.
0
Please sign in to leave a comment.
Comments
2 comments