# Vulnerability Scoring Systems

<figure><img src="/files/EfpJXdknxgQXklwf2DCS" alt=""><figcaption></figcaption></figure>

AttackForge empowers security teams to prioritise and score vulnerabilities using any existing industry framework like CVSS, DREAD, OWASP Risk Rating Methodology; or a custom framework tailored to the needs of the organization; or multiple frameworks on the same project and vulnerability - for a complete perspective.

Using multiple vulnerability scoring systems together provides several important advantages in security assessments:

* **Complementary perspectives.** Each system emphasizes different aspects of risk. CVSS focuses heavily on the technical characteristics of a vulnerability - exploitability, impact on confidentiality/integrity/availability. DREAD brings in factors like discoverability and the number of affected users, which CVSS doesn't directly address. The OWASP Risk Rating Methodology layers in business impact and threat agent factors, tying vulnerabilities more closely to organizational context. Together, they paint a fuller picture than any single system alone.
* **Better prioritization.** A vulnerability might score high on CVSS due to its technical severity but rank lower when DREAD or OWASP factors reveal it's hard to discover, affects few users, or has minimal business impact. Conversely, a technically moderate vulnerability might become urgent when business context shows it affects a revenue-critical system. Cross-referencing scores helps teams avoid both over-reacting and under-reacting.
* **Audience-appropriate communication.** CVSS scores are widely recognized and useful for communicating with technical teams and in compliance contexts. OWASP's business-impact dimension makes it easier to explain risk to executives and stakeholders. DREAD's intuitive categories (how reproducible is it? how exploitable?) can be useful in quick triage discussions. Having multiple frameworks lets you speak the right language to each audience.
* **Reduced bias and blind spots.** Every scoring system has limitations. CVSS, for example, has been criticized for score inflation and for not accounting for environmental context well in its base score. DREAD is sometimes seen as too subjective. Using multiple systems creates a check against the weaknesses of any single one - if all three frameworks agree a vulnerability is critical, you can have higher confidence in that assessment.
* **Flexibility across contexts.** Some systems work better for certain situations. CVSS is standard for published CVEs and vendor advisories. OWASP's methodology suits application-level risk assessments during development. DREAD can be useful for rapid internal triage. Having fluency in all three lets a security team pick the right tool for the situation or combine them as needed.

The main trade-off is additional effort - maintaining multiple scoring workflows takes more time and can introduce confusion if scores conflict without clear guidance on how to reconcile them. Most mature security programs address this by designating a primary system (often CVSS for its industry adoption) and using the others as supplementary lenses during prioritization discussions.

## Default Scoring Systems

AttackForge includes the following vulnerability scoring systems out-of-the-box on new deployments:

* [**CVSS version 3.1**](https://www.first.org/cvss/calculator/3.1)
* [**CVSS version 4.0**](https://www.first.org/cvss/calculator/4.0)
* [**DREAD Threat Model**](https://satoricyber.com/glossary/threat-modeling-with-microsoft-dread/)
* [**OWASP Risk Rating Methodology**](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology)
* [**Custom 4x4 Risk Scoring**](https://en.wikipedia.org/wiki/Risk_matrix)

## Creating a Custom Scoring System

You can create and manage your vulnerability scoring systems in `Administration > Vulnerabilities > Scoring`:

<figure><img src="/files/cltqiukMKKrj8CkR8se8" alt=""><figcaption></figcaption></figure>

Start by clicking on `Add Custom Scoring System`.

<figure><img src="/files/dOKzgsaFnnLv8GGUq45L" alt=""><figcaption></figcaption></figure>

The Scoring System is made up of the following components:

* **Name**
  * This is the name of the scoring system
* **Key**
  * This is the unique identifier for the scoring system, which is used in scripts, APIs, etc.
* **Info**
  * This is an optional field to help describe the purpose and function of the scoring system.
* **Form**
  * This is where you can create your own [Sections and Fields](/attackforge-enterprise/getting-started/custom-fields-and-forms.md) which relate to your scoring system.
  * These fields will show when a vulnerability is getting scored during vulnerability creation or modification.
  * These fields may optionally show when viewing a vulnerability, to provide context on how the vulnerability was scored.
* **Priority Script**
  * This is the logic used to calculate the vulnerability priority.

### Form

The Scoring Form is made up of [Sections and Fields](/attackforge-enterprise/getting-started/custom-fields-and-forms.md) which are presented to users to help them score vulnerabilities, and to help understand the context for how the vulnerability was scored.

<figure><img src="/files/lqcoEO0GMvPEyounq6K6" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/AO0QqEsS3zURaABCH17C" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/0BqcPpYAPsbiRPFYg8nj" alt=""><figcaption></figcaption></figure>

### Priority Script

The Priority Script is where you configure the logic to calculate the vulnerability priority.

The Priority Script can factor in context from the following locations:

* Current scoring system
* Other scoring systems in use on the same project
* Vulnerability system fields and custom fields
* Writeup fields
* Affected Asset fields
* Project system fields and custom fields

<figure><img src="/files/mfg7RurS9VflJceECGHI" alt=""><figcaption></figcaption></figure>

The Priority Script must return one of the following values:

* Critical
* High
* Medium
* Low
* Info

<figure><img src="/files/2A3fSZo1e3jfMT26KnEV" alt=""><figcaption></figcaption></figure>

## Applying Scoring Systems to Projects

When creating or modifying a project - you can select from the available scoring systems:

<figure><img src="/files/XVwcYbASrgu5VMkEbBdj" alt=""><figcaption></figcaption></figure>

Projects can have as many scoring systems assigned as desired.

Scoring systems can be marked as `Required`. This means the person scoring vulnerabilities *must* use that scoring system.

Scoring systems can also be ordered from top to bottom, which controls the order in which the scoring systems are presented and also the relevance to the Priority on the vulnerability. In the event where multiple scoring systems have conflicting ratings, the highest ordered scoring system takes precedence.

<figure><img src="/files/zB0SxCsfXvc0daY1yDaY" alt=""><figcaption></figcaption></figure>

### Access to Scoring Systems

Every Custom Scoring System assigned to the project can have an access level applied to it. This determines whether a user viewing the vulnerability can see how the vulnerability was scored.

<figure><img src="/files/0wdI3rp2uC7C5Felhge7" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/H7sfa0kH7F7Mlq3Au6NY" alt=""><figcaption></figcaption></figure>

In some cases, you may choose to withhold the details on how the vulnerability was scored using the custom scoring systems. In these cases, you can adjust the `Access Level` and `Roles` on the scoring system which sets the *lowest project access level that has access to the scoring system*.

<figure><img src="/files/6Oh6b37bVFwaYuQMRwJG" alt=""><figcaption></figcaption></figure>

## Using Scoring Systems on Vulnerabilities

When creating or modifying a vulnerability, the assigned scoring systems to the project will become accessible on the vulnerability form:

<figure><img src="/files/n8UTrtIsWg2BBqcIaCKt" alt=""><figcaption></figcaption></figure>

Mandatory scoring systems will have a *red dot* indicating a score is required.

When you click on any of the scoring systems, the relevent form will be presented where you can enter in the scoring values:

<figure><img src="/files/pYAIdqWCkoNDKtysm9M3" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/oUR061lro9BvFq4w0ISn" alt=""><figcaption></figcaption></figure>

After you fill in the scoring details, the Priority will be updated. You can override the Priority manually. AttackForge will indicate where a Priority does not align with existing scoring systems:

<figure><img src="/files/KWnde8xQ31G7UK2Ka0Gm" alt=""><figcaption></figcaption></figure>

## Scoring System Priority Scripts

### DREAD Threat Model

This example assumes that you have the following fields configured on this scoring system:

<figure><img src="/files/xkXsruruno0C96q8zkc8" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/JxduLwV7hutysQWySl5a" alt=""><figcaption></figcaption></figure>

Each field is a SELECT field which has a value of 1 to 10.

```javascript
const dread = vulnerability?.scoring?.custom?.dread?.custom_fields;
const damage_potential = dread?.damage_potential;
const reproducibility = dread?.reproducibility;
const exploitability = dread?.exploitability;
const affected_users = dread?.affected_users;
const discoverability = dread?.discoverability;

const score = Number.parseInt(damage_potential)
  + Number.parseInt(reproducibility)
  + Number.parseInt(exploitability)
  + Number.parseInt(affected_users)
  + Number.parseInt(discoverability);

if (score >= 1 && score <= 10) {
  return 'Low';
}
else if (score >= 11 && score <= 24) {
  return 'Medium';
}
else if (score >= 25 && score <= 39) {
  return 'High';
}
else if (score >= 40 && score <= 50) {
  return 'Critical';
}
else {
  return 'Info'
}
```

### OWASP Risk Rating Methodology

This example assumes that you have the following sections and fields configured on this scoring system:

<figure><img src="/files/nZJklmxWJs1I2cVaeAzo" alt=""><figcaption></figcaption></figure>

Likelihood Factors:

<figure><img src="/files/vsyt84edjC801iuS2hxr" alt=""><figcaption></figcaption></figure>

Impact Factors:

<figure><img src="/files/AIIzJJkF25Re8YACDbzE" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/NTHnU7rCpnmTfe6kgn5n" alt=""><figcaption></figcaption></figure>

Each field is a SELECT field which has a value of 0 to 9.

```javascript
const scoring = vulnerability.scoring.custom.owasp_risk_rating_methodology.custom_fields;
const entries = Object.entries(scoring);

let threat_agent_factor = 0;
let vulnerability_factor = 0;
let technical_impact_factor = 0;
let business_impact_factor = 0;

for (let x = 0; x < Array.length(entries); x++) {
  const key = entries[x][0];
  const value = Number.parseInt(entries[x][1]);
  
  if (String.startsWith(key, 'ta_')){
    threat_agent_factor = threat_agent_factor + value;
  }
  else if (String.startsWith(key, 'vf_')){
    vulnerability_factor = vulnerability_factor + value;
  }
  else if (String.startsWith(key, 'ti_')){
    technical_impact_factor = technical_impact_factor + value;
  }
  else if (String.startsWith(key, 'bi_')){
    business_impact_factor = business_impact_factor + value;
  }
}

const likelihood = ( threat_agent_factor + vulnerability_factor ) / 8;
const impact = ( technical_impact_factor + business_impact_factor ) / 8;

let likelihood_rating;
if (likelihood >= 0 && likelihood < 3) {
  likelihood_rating = 'Low';
}
else if (likelihood >= 3 && likelihood < 6) {
  likelihood_rating = 'Medium';
}
else if (likelihood >= 6 && likelihood <= 9) {
  likelihood_rating = 'High';
}

let impact_rating;
if (impact >= 0 && impact < 3) {
  impact_rating = 'Low';
}
else if (impact >= 3 && impact < 6) {
  impact_rating = 'Medium';
}
else if (impact >= 6 && impact <= 9) {
  impact_rating = 'High';
}

if (impact_rating === 'High' && likelihood_rating === 'Low') {
  return 'Medium';
}
else if (impact_rating === 'High' && likelihood_rating === 'Medium') {
  return 'High';
}
else if (impact_rating === 'High' && likelihood_rating === 'High') {
  return 'Critical';
}
else if (impact_rating === 'Medium' && likelihood_rating === 'Low') {
  return 'Low';
}
else if (impact_rating === 'Medium' && likelihood_rating === 'Medium') {
  return 'Medium';
}
else if (impact_rating === 'Medium' && likelihood_rating === 'High') {
  return 'High';
}
else if (impact_rating === 'Low' && likelihood_rating === 'Low') {
  return 'Info';
}
else if (impact_rating === 'Low' && likelihood_rating === 'Medium') {
  return 'Low';
}
else if (impact_rating === 'Low' && likelihood_rating === 'High') {
  return 'Medium';
}
```

### Custom 4x4 Risk Scoring

This example is based on a standard 4x4 risk matrix:

<figure><img src="/files/YdBLtAiguKe33Pjan9N6" alt=""><figcaption></figcaption></figure>

This example assumes that you have the following fields configured on this scoring system:

<figure><img src="/files/chYa1FsFxArOnPDaZWUx" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/Ab9j029CMS6adphWoqBc" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/2nXarPsj6VblLhJd9p01" alt=""><figcaption></figcaption></figure>

```javascript
const scoring = vulnerability.scoring.custom.custom_risk_scoring.custom_fields;

const probability = scoring.probability;
const impact = scoring.impact;

if (probability === 'Rare' && impact === 'Low') {
  return 'Low';
}
else if (probability === 'Rare' && impact === 'Medium') {
  return 'Low';
}
else if (probability === 'Rare' && impact === 'High') {
  return 'Low';
}
else if (probability === 'Rare' && impact === 'Very High') {
  return 'Medium';
}
else if (probability === 'Unlikely' && impact === 'Low') {
  return 'Low';
}
else if (probability === 'Unlikely' && impact === 'Medium') {
  return 'Medium';
}
else if (probability === 'Unlikely' && impact === 'High') {
  return 'Medium';
}
else if (probability === 'Unlikely' && impact === 'Very High') {
  return 'High';
}
else if (probability === 'Possible' && impact === 'Low') {
  return 'Low';
}
else if (probability === 'Possible' && impact === 'Medium') {
  return 'Medium';
}
else if (probability === 'Possible' && impact === 'High') {
  return 'High';
}
else if (probability === 'Possible' && impact === 'Very High') {
  return 'Critical';
}
else if (probability === 'Probable' && impact === 'Low') {
  return 'Medium';
}
else if (probability === 'Probable' && impact === 'Medium') {
  return 'High';
}
else if (probability === 'Probable' && impact === 'High') {
  return 'Critical';
}
else if (probability === 'Probable' && impact === 'Very High') {
  return 'Critical';
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://support.attackforge.com/attackforge-enterprise/getting-started/vulnerability-scoring-systems.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.