Risk

The vulnerability data provides multiple indicators for the risk level of an entry. For example CVSS scores, EPSS, exploit prices, and CTI activity scores - There is also risk information available from other sources like other vulnerability databases, vulnerability scanners, and intrusion detection systems.

Metrics

Every entry does also contain a risk level which is defined by the VulDB moderation team. The risk level consists of 3 different levels:

  1. low ⇒ problematic
  2. medium ⇒ critical
  3. high ⇒ very critical

Calculation

The risk level depends on several criterias like remote possibilities, authentication requirements, attack complexity and impact levels. There are some basic guidelines which are used by the VulDB moderators:

  • Attack vectors limited to local are usually low (e.g. denial of service, information disclosure) or medium (e.g. privilege escalation, code execution, buffer overflow)
  • Impact levels which promise high level access or even system access are at least medium (e.g. authentication required) and under some circumstances high (e.g. no prerequisites, exploit available, popular vulnerability)

Context

This risk rating is used primarily for textual representation. As it is not based on a strict algorithmic definition it is suggested to use other indicators for statistical analysis. For example CVSSv4 scores which are a well-known industry standard.

Updated: 07/10/2024 by VulDB Documentation Team

Do you need the next level of professionalism?

Upgrade your account now!