Exploitability
Some vulnerability entries contain information and links about existing exploits. An exploit is a tutorial or software, which helps to execute or automate the exploitation of a vulnerability.
Such an exploit might have a specific level of exploitability, also called exploit code maturity. The exploitability definition on VulDB uses the same metric levels like CVSSv2 and CVSSv3. Our definitions are slightly enhanced and shown in the table below.
| Symbol | CVSSv3 | CVSSv2 | Description | Example |
|---|---|---|---|---|
High | H | H | A professionalized exploit is available with a very high level of reliability, the possibility to change options, and solid error handling. Such an exploit is easy-to-use by attackers not familiar with the technical details of the underlying vulnerability. | Metasploit module, NMAP NSE skript |
Functional | F | F | A solid exploit is available which provides mostly reliable exploit capabilities that work in most scenarios. | enhanced skript, basic exploit implementation |
Proof-of-Concept | P | POC | A simple exploit is available which illustrates the basic functionality of exploitation, without a certain level of reliability, no customization possibilities, and no error handling. | static URL, Curl statement, simple shell skript |
Unproven | U | U | No exploit is available, or an exploit is entirely theoretical. | exploit is private, no public exploit available |
Not Defined | X | ND | The exploitability level is not defined. This is the case when no information about an exploit is available. | no information about exploits available |
The exploitability level is one of tha major factor that impacts the calculation of exploit prices.