Vulnerability Scoring Systems

AttackForge empowers security teams to prioritise and score vulnerabilities using any existing industry framework like CVSS, DREAD, OWASP Risk Rating Methodology; or a custom framework tailored to the needs of the organization; or multiple frameworks on the same project and vulnerability - for a complete perspective.

Using multiple vulnerability scoring systems together provides several important advantages in security assessments:

Complementary perspectives. Each system emphasizes different aspects of risk. CVSS focuses heavily on the technical characteristics of a vulnerability - exploitability, impact on confidentiality/integrity/availability. DREAD brings in factors like discoverability and the number of affected users, which CVSS doesn't directly address. The OWASP Risk Rating Methodology layers in business impact and threat agent factors, tying vulnerabilities more closely to organizational context. Together, they paint a fuller picture than any single system alone.
Better prioritization. A vulnerability might score high on CVSS due to its technical severity but rank lower when DREAD or OWASP factors reveal it's hard to discover, affects few users, or has minimal business impact. Conversely, a technically moderate vulnerability might become urgent when business context shows it affects a revenue-critical system. Cross-referencing scores helps teams avoid both over-reacting and under-reacting.
Audience-appropriate communication. CVSS scores are widely recognized and useful for communicating with technical teams and in compliance contexts. OWASP's business-impact dimension makes it easier to explain risk to executives and stakeholders. DREAD's intuitive categories (how reproducible is it? how exploitable?) can be useful in quick triage discussions. Having multiple frameworks lets you speak the right language to each audience.
Reduced bias and blind spots. Every scoring system has limitations. CVSS, for example, has been criticized for score inflation and for not accounting for environmental context well in its base score. DREAD is sometimes seen as too subjective. Using multiple systems creates a check against the weaknesses of any single one - if all three frameworks agree a vulnerability is critical, you can have higher confidence in that assessment.
Flexibility across contexts. Some systems work better for certain situations. CVSS is standard for published CVEs and vendor advisories. OWASP's methodology suits application-level risk assessments during development. DREAD can be useful for rapid internal triage. Having fluency in all three lets a security team pick the right tool for the situation or combine them as needed.

The main trade-off is additional effort - maintaining multiple scoring workflows takes more time and can introduce confusion if scores conflict without clear guidance on how to reconcile them. Most mature security programs address this by designating a primary system (often CVSS for its industry adoption) and using the others as supplementary lenses during prioritization discussions.

Default Scoring Systems

AttackForge includes the following vulnerability scoring systems out-of-the-box on new deployments:

Creating a Custom Scoring System

You can create and manage your vulnerability scoring systems in Administration > Vulnerabilities > Scoring:

Start by clicking on Add Custom Scoring System.

The Scoring System is made up of the following components:

Name
- This is the name of the scoring system
Key
- This is the unique identifier for the scoring system, which is used in scripts, APIs, etc.
Info
- This is an optional field to help describe the purpose and function of the scoring system.
Form
- This is where you can create your own Sections and Fields which relate to your scoring system.
- These fields will show when a vulnerability is getting scored during vulnerability creation or modification.
- These fields may optionally show when viewing a vulnerability, to provide context on how the vulnerability was scored.
Priority Script
- This is the logic used to calculate the vulnerability priority.

Form

The Scoring Form is made up of Sections and Fields which are presented to users to help them score vulnerabilities, and to help understand the context for how the vulnerability was scored.

Priority Script

The Priority Script is where you configure the logic to calculate the vulnerability priority.

The Priority Script can factor in context from the following locations:

Current scoring system
Other scoring systems in use on the same project
Vulnerability system fields and custom fields
Writeup fields
Affected Asset fields
Project system fields and custom fields

The Priority Script must return one of the following values:

Critical
High
Medium
Low
Info

Applying Scoring Systems to Projects

When creating or modifying a project - you can select from the available scoring systems:

Projects can have as many scoring systems assigned as desired.

Scoring systems can be marked as Required. This means the person scoring vulnerabilities must use that scoring system.

Scoring systems can also be ordered from top to bottom, which controls the order in which the scoring systems are presented and also the relevance to the Priority on the vulnerability. In the event where multiple scoring systems have conflicting ratings, the highest ordered scoring system takes precedence.

Access to Scoring Systems

Every Custom Scoring System assigned to the project can have an access level applied to it. This determines whether a user viewing the vulnerability can see how the vulnerability was scored.

In some cases, you may choose to withhold the details on how the vulnerability was scored using the custom scoring systems. In these cases, you can adjust the Access Level and Roles on the scoring system which sets the lowest project access level that has access to the scoring system.

Using Scoring Systems on Vulnerabilities

When creating or modifying a vulnerability, the assigned scoring systems to the project will become accessible on the vulnerability form:

Mandatory scoring systems will have a red dot indicating a score is required.

When you click on any of the scoring systems, the relevent form will be presented where you can enter in the scoring values:

After you fill in the scoring details, the Priority will be updated. You can override the Priority manually. AttackForge will indicate where a Priority does not align with existing scoring systems:

Scoring System Priority Scripts

DREAD Threat Model

This example assumes that you have the following fields configured on this scoring system:

Each field is a SELECT field which has a value of 1 to 10.

const dread = vulnerability?.scoring?.custom?.dread?.custom_fields;
const damage_potential = dread?.damage_potential;
const reproducibility = dread?.reproducibility;
const exploitability = dread?.exploitability;
const affected_users = dread?.affected_users;
const discoverability = dread?.discoverability;

const score = Number.parseInt(damage_potential)
  + Number.parseInt(reproducibility)
  + Number.parseInt(exploitability)
  + Number.parseInt(affected_users)
  + Number.parseInt(discoverability);

if (score >= 1 && score <= 10) {
  return 'Low';
}
else if (score >= 11 && score <= 24) {
  return 'Medium';
}
else if (score >= 25 && score <= 39) {
  return 'High';
}
else if (score >= 40 && score <= 50) {
  return 'Critical';
}
else {
  return 'Info'
}

OWASP Risk Rating Methodology

This example assumes that you have the following sections and fields configured on this scoring system:

Likelihood Factors:

Impact Factors:

Each field is a SELECT field which has a value of 0 to 9.

const scoring = vulnerability.scoring.custom.owasp_risk_rating_methodology.custom_fields;
const entries = Object.entries(scoring);

let threat_agent_factor = 0;
let vulnerability_factor = 0;
let technical_impact_factor = 0;
let business_impact_factor = 0;

for (let x = 0; x < Array.length(entries); x++) {
  const key = entries[x][0];
  const value = Number.parseInt(entries[x][1]);
  
  if (String.startsWith(key, 'ta_')){
    threat_agent_factor = threat_agent_factor + value;
  }
  else if (String.startsWith(key, 'vf_')){
    vulnerability_factor = vulnerability_factor + value;
  }
  else if (String.startsWith(key, 'ti_')){
    technical_impact_factor = technical_impact_factor + value;
  }
  else if (String.startsWith(key, 'bi_')){
    business_impact_factor = business_impact_factor + value;
  }
}

const likelihood = ( threat_agent_factor + vulnerability_factor ) / 8;
const impact = ( technical_impact_factor + business_impact_factor ) / 8;

let likelihood_rating;
if (likelihood >= 0 && likelihood < 3) {
  likelihood_rating = 'Low';
}
else if (likelihood >= 3 && likelihood < 6) {
  likelihood_rating = 'Medium';
}
else if (likelihood >= 6 && likelihood <= 9) {
  likelihood_rating = 'High';
}

let impact_rating;
if (impact >= 0 && impact < 3) {
  impact_rating = 'Low';
}
else if (impact >= 3 && impact < 6) {
  impact_rating = 'Medium';
}
else if (impact >= 6 && impact <= 9) {
  impact_rating = 'High';
}

if (impact_rating === 'High' && likelihood_rating === 'Low') {
  return 'Medium';
}
else if (impact_rating === 'High' && likelihood_rating === 'Medium') {
  return 'High';
}
else if (impact_rating === 'High' && likelihood_rating === 'High') {
  return 'Critical';
}
else if (impact_rating === 'Medium' && likelihood_rating === 'Low') {
  return 'Low';
}
else if (impact_rating === 'Medium' && likelihood_rating === 'Medium') {
  return 'Medium';
}
else if (impact_rating === 'Medium' && likelihood_rating === 'High') {
  return 'High';
}
else if (impact_rating === 'Low' && likelihood_rating === 'Low') {
  return 'Info';
}
else if (impact_rating === 'Low' && likelihood_rating === 'Medium') {
  return 'Low';
}
else if (impact_rating === 'Low' && likelihood_rating === 'High') {
  return 'Medium';
}

Custom 4x4 Risk Scoring

This example is based on a standard 4x4 risk matrix:

This example assumes that you have the following fields configured on this scoring system:

const scoring = vulnerability.scoring.custom.custom_risk_scoring.custom_fields;

const probability = scoring.probability;
const impact = scoring.impact;

if (probability === 'Rare' && impact === 'Low') {
  return 'Low';
}
else if (probability === 'Rare' && impact === 'Medium') {
  return 'Low';
}
else if (probability === 'Rare' && impact === 'High') {
  return 'Low';
}
else if (probability === 'Rare' && impact === 'Very High') {
  return 'Medium';
}
else if (probability === 'Unlikely' && impact === 'Low') {
  return 'Low';
}
else if (probability === 'Unlikely' && impact === 'Medium') {
  return 'Medium';
}
else if (probability === 'Unlikely' && impact === 'High') {
  return 'Medium';
}
else if (probability === 'Unlikely' && impact === 'Very High') {
  return 'High';
}
else if (probability === 'Possible' && impact === 'Low') {
  return 'Low';
}
else if (probability === 'Possible' && impact === 'Medium') {
  return 'Medium';
}
else if (probability === 'Possible' && impact === 'High') {
  return 'High';
}
else if (probability === 'Possible' && impact === 'Very High') {
  return 'Critical';
}
else if (probability === 'Probable' && impact === 'Low') {
  return 'Medium';
}
else if (probability === 'Probable' && impact === 'Medium') {
  return 'High';
}
else if (probability === 'Probable' && impact === 'High') {
  return 'Critical';
}
else if (probability === 'Probable' && impact === 'Very High') {
  return 'Critical';
}

PreviousAdvanced Filtering NextVulnerability SLAs

Last updated 25 days ago

hashtagDefault Scoring Systems

hashtagCreating a Custom Scoring System

hashtagForm

hashtagPriority Script

hashtagApplying Scoring Systems to Projects

hashtagAccess to Scoring Systems

hashtagUsing Scoring Systems on Vulnerabilities

hashtagScoring System Priority Scripts

hashtagDREAD Threat Model

hashtagOWASP Risk Rating Methodology

hashtagCustom 4x4 Risk Scoring