Vulnerability Risk Score Calculator
Calculate a composite vulnerability risk score (0–10) based on CVSS v3-inspired metrics covering exploitability and impact dimensions.
Formulas
1. ISC Base:
ISCBase = 1 − (1 − C) × (1 − I) × (1 − A)
2. Impact Sub Score (ISS):
Unchanged Scope: ISS = 6.42 × ISCBase
Changed Scope: ISS = 7.52 × (ISCBase − 0.029) − 3.25 × (ISCBase − 0.02)^15
3. Exploitability Sub Score (ESS):
ESS = 8.22 × AV × AC × PR × UI
4. Base Score:
Unchanged: BaseScore = Roundup(min(ISS + ESS, 10))
Changed: BaseScore = Roundup(min(1.08 × (ISS + ESS), 10))
5. Temporal Score:
TemporalScore = Roundup(BaseScore × E × RL × RC)
6. Final Environmental Score:
FinalScore = min(TemporalScore × AssetWeight, 10)
Severity Ratings: None (0.0) | Low (0.1–3.9) | Medium (4.0–6.9) | High (7.0–8.9) | Critical (9.0–10.0)
Assumptions & References
- Base metric weights follow CVSS v3.1 specification (FIRST.org).
- Temporal multipliers (E, RL, RC) reduce the base score to reflect real-world exploit availability and patch status.
- The Asset Value environmental weight (1.0×, 1.5×, 2.0×) is a simplified environmental modifier; in full CVSS v3.1 this is expressed via Modified Base Metrics and CR/IR/AR weights.
- Privileges Required values differ between Unchanged and Changed scope per CVSS v3.1 Table 14.
- Roundup is applied per CVSS spec: ceiling to one decimal place.
- Reference: CVSS v3.1 Specification Document, FIRST.org, 2019.
- Reference: NVD Vulnerability Metrics, NIST National Vulnerability Database.