What is the "Exposure Assessment" score and how is it calculated in the vulnerability assessment reports



  • Official comment
    Abby Kincer

    Matt - 

    I've got an answer for you! I do want to let you know that the Exposure Assessment score will be replaced with a new Threat Risk Index score when existing customers are transitioned to our new product offerings in the next several months. In the meantime, here's the Exposure Assessment score breakdown:

    The Exposure Assessment score for a vulnerability is based on the CVSS 2.0 Base score. If the CVSS score is 0, the Exposure Assessment score is 0. When the CVSS Base score is greater than 0, the Exposure Assessment score is calculated by taking the cubed number of the CVSS 2.0 Base score, dividing by 100, and rounding to the nearest whole number. For example, if the vulnerability has a CVSS Base score of 7.5, the cubed value (7.5 x 7.5 x 7.5) is 421.875, and divided by 100 is 4.21875, which is finally rounded down for an Exposure Assessment score of 4.

    If you have any other questions, please let me know and I'll be happy to help!

  • Avatar
    Abby Kincer

    Matt -

    Thanks for posting - this is a fantastic question. I'm going to track the answer down for you and report back.


Please sign in to leave a comment.