Ease of Discovery refers to the difficulty a threat actor may encounter when attempting to identify a vulnerability. This is measured on a scale that ranges from nearly impossible to extremely easy. A rating of 1 indicates that the vulnerability is practically impossible to discover, requiring exceptional effort or resources. A rating of 3 suggests it is difficult to uncover, typically necessitating specialised skills or advanced knowledge. At a rating of 7, the vulnerability becomes relatively easy to detect with minimal expertise or effort. Finally, a rating of 9 signifies that the vulnerability can be identified using automated tools, making it highly accessible even to attackers with limited skills. This scale provides a clear framework for understanding the likelihood of discovery based on the vulnerability’s visibility.
Ease of Exploit (Vector) refers to how easily a threat actor can exploit a vulnerability once discovered. This is evaluated on a scale to reflect the level of effort required for exploitation. A rating of 1 represents a theoretical exploit, where practical exploitation is nearly impossible and may only be feasible under controlled conditions. A rating of 3 indicates that exploiting the vulnerability requires significant skill or effort. A rating of 5 signifies that the exploit is relatively easy to perform, requiring moderate expertise or resources. Finally, a rating of 9 is assigned when automated tools are readily available, making exploitation simple and accessible even to attackers with minimal skills. This scale helps assess the practicality of leveraging the vulnerability in real-world scenarios.
Awareness evaluates how widely known the vulnerability is among threat actors, providing insight into its potential exposure and risk level. A rating of 1 indicates the vulnerability is entirely unknown to threat actors, posing minimal immediate risk. A rating of 4 suggests the vulnerability is hidden, known only to a select few or through specialised knowledge. A rating of 6 means the vulnerability is more apparent and likely to be recognised by skilled individuals with moderate effort. Finally, a rating of 9 denotes that the vulnerability is public knowledge, widely accessible and potentially well-documented, significantly increasing the likelihood of exploitation. This scale helps measure the visibility and awareness of a vulnerability within the threat landscape.
Intrusion Detection Vector assesses the likelihood of an exploit being detected during or after an attack. This metric helps evaluate how effectively an organisation can respond to or mitigate the exploitation of a vulnerability. A rating of 1 indicates active detection within the application, where the exploit is immediately identified and flagged for response. A rating of 3 applies when the exploit is logged and actively reviewed, allowing for detection after the fact. A rating of 8 is assigned when the exploit is logged but not routinely reviewed, significantly delaying or reducing the chances of detection. Finally, a rating of 9 denotes that the exploit is not logged at all, making detection highly unlikely unless other security measures intervene. This scale provides a clear framework for understanding the detection capability and response readiness in the face of an exploit.