Risk
The vulnerability data provides multiple indicators for the risk level of an entry. For example CVSS scores, EPSS, exploit prices, and CTI activity scores - There is also risk information available from other sources like other vulnerability databases, vulnerability scanners, and intrusion detection systems.
Metrics
Every entry does also contain a risk level which is defined by the VulDB moderation team. The risk level consists of 3 different levels:
- low ⇒ problematic
- medium ⇒ critical
- high ⇒ very critical
Calculation
The risk level depends on several criterias like remote possibilities, authentication requirements, attack complexity and impact levels. There are some basic guidelines which are used by the VulDB moderators:
- Attack vectors limited to local are usually low (e.g. denial of service, information disclosure) or medium (e.g. privilege escalation, code execution, buffer overflow)
- Impact levels which promise high level access or even system access are at least medium (e.g. authentication required) and under some circumstances high (e.g. no prerequisites, exploit available, popular vulnerability)
Context
This risk rating is used primarily for textual representation. As it is not based on a strict algorithmic definition it is suggested to use other indicators for statistical analysis. For example CVSSv4 scores which are a well-known industry standard.
Uppdaterad: 10/07/2024 förbi VulDB Documentation Team