CVE Risk Score Calculator
Calculates a composite CVE risk score combining CVSS v3.1 base score components, asset criticality, and environmental exposure to produce a prioritized risk score (0–100).
CVSS v3.1 Base Metrics
Environmental & Asset Factors
Formulas
1. Impact Sub-Score (ISS):
ISCBase = 1 − (1−C)(1−I)(1−A)
If Scope = Unchanged: ISS = 6.42 × ISCBase
If Scope = Changed: ISS = 7.52 × [ISCBase − 0.029] − 3.25 × [ISCBase − 0.02]15
2. Exploitability Sub-Score (ESS):
ESS = 8.22 × AV × AC × PR × UI
3. CVSS Base Score:
If ISCBase ≤ 0: BaseScore = 0
If Scope = Unchanged: BaseScore = Roundup(min(ISS + ESS, 10))
If Scope = Changed: BaseScore = Roundup(min(1.08 × (ISS + ESS), 10))
4. Temporal Score:
TemporalScore = Roundup(BaseScore × ExploitMaturity × RemediationLevel × ReportConfidence)
5. Composite Risk Score (0–100):
RiskScore = (TemporalScore / 10) × (AssetCriticality / 10) × (Exposure / 100) × 100
Severity Bands: Critical ≥ 70 | High ≥ 50 | Medium ≥ 30 | Low > 0 | Informational = 0
Assumptions & References
- CVSS v3.1 base metric weights follow the official FIRST specification exactly (AV, AC, PR, UI, Scope, C, I, A).
- PR values are scope-dependent per CVSS 3.1: PR=Low is 0.62 (Unchanged) or 0.68 (Changed); PR=High is 0.27 (Unchanged) or 0.50 (Changed).
- Temporal score multipliers (Exploit Maturity, Remediation Level, Report Confidence) follow CVSS 3.1 temporal metric values.
- Asset Criticality (1–10) is a user-defined organizational value reflecting business impact of the affected asset.
- Network Exposure (0–100%) represents the percentage of the attack surface reachable by potential attackers.
- Composite Risk Score normalizes all factors to a 0–100 scale for cross-vulnerability prioritization.
- Reference: FIRST CVSS v3.1 Specification — https://www.first.org/cvss/v3.1/specification-document
- Reference: NVD CVSS Calculator — https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
- Roundup function rounds to the nearest 0.1 toward positive infinity (ceiling at 1 decimal place).