Let’s consider a practical example of how vulnerability rating works. Imagine a web application that has a known security flaw in its authentication system. To assess the risk, we begin by evaluating the ease of discovery.
In this case, the flaw is widely known because it was discussed in a popular security forum, and there are automated tools available that can scan for it. This makes the flaw easy to discover. Therefore, it receives a high rating of 9 for ease of discovery.
Next, we assess the ease of exploit. The vulnerability is difficult to exploit as there are no pre-built scripts available to easily bypass the authentication system, and attackers would need advanced technical skills to take advantage of the flaw. As a result, it scores a 3 for exploitability.
The third factor, awareness, measures how well-known the vulnerability is among threat actors. Given that this flaw has been publicly disclosed in security advisories and discussed in online forums, attackers are likely to be aware of it. This high level of awareness gives the vulnerability a rating of 9.
Finally, we evaluate the intrusion detection aspect. In this case, the system doesn’t log failed login attempts, nor does it have real-time alerts to flag unauthorised access. This lack of detection means the vulnerability is unlikely to be spotted if exploited, leading to a rating of 9 for intrusion detection.
When we combine these ratings, 9 for discovery, 3 for exploitability, 9 for awareness, and 9 for detection evasion 9 + 3 + 9 + 9 / 4 = 7.5 This suggests a moderate to high risk, highlighting the importance of addressing the vulnerability, despite its difficulty to exploit, due to its ease of discovery, widespread awareness, and lack of detection mechanisms.