TOC & Recently Viewed

Recently Viewed Topics

Severity vs. VPR

Tenable uses a static Severity and a dynamic Vulnerability Priority Rating (VPR) to quantify how urgently you should remediate a vulnerability. For more information, see:

When you view these metrics on an analysis page organized by plugin (e.g., the Vulnerabilities by Plugin page), the metrics represent the highest value assigned or calculated for a vulnerability associated with the plugin.

Severity

Tenable assigns all vulnerabilities a static severity based on the vulnerability's CVSSv2 score.

Tenable.io imports severity values every time you run a scan.

Severity Categories

Tenable.io analysis pages provide summary information about vulnerabilities using the following severity categories. For more information about the icons used for each severity, see Vulnerability Severity Indicators.

Severity

Description
Critical

The plugin's highest vulnerability CVSSv2 score is 10.0.

High The plugin's highest vulnerability CVSSv2 score is between 7.0 and 9.9.
Medium The plugin's highest vulnerability CVSSv2 score is between 4.0 and 6.9.
Low

The plugin's highest vulnerability CVSSv2 score is between 0.1 and 3.9.

Info

The plugin's highest vulnerability CVSSv2 score is 0.

- or -

The plugin does not search for vulnerabilities.

Vulnerability Priority Rating

Tenable calculates a dynamic Vulnerability Priority Rating (VPR) for most vulnerabilities. The VPR is a dynamic companion to the static data provided by the vulnerability's CVSSv2 score and severity, since Tenable updates the VPR to reflect the current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher likelihood of exploit.

Note: Vulnerabilities without NVD-published CVEs (e.g., many vulnerabilities with Severity: Info) do not receive a VPR. Tenable recommends remediating these vulnerabilities according to their CVSS-based severity.

Tenable.io imports new and updated VPR values every time you run a scan.

Tenable recommends resolving vulnerabilities with the highest VPRs first. You can view VPR scores and summary data in:

VPR Key Drivers

Tenable uses the following key drivers to calculate a vulnerability's VPR.

Key Driver

Description
Age of Vuln The number of days since the National Vulnerability Database (NVD) published the vulnerability.
CVSSv3 Impact Score The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Tenable.io displays a Tenable-predicted score.
Exploit Code Maturity The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code Maturity categories.
Product Coverage The relative number of unique products affected by the vulnerability: Low, Medium, High, or Very High.
Threat Sources A list of all sources (e.g., social media channels, the dark web, etc.) where threat events related to this vulnerability occurred. If the system did not observe a related threat event in the past 28 days, the system displays No recorded events.
Threat Intensity The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very Low, Low, Medium, High, or Very High.
Threat Recency The number of days (0-730) since a threat event occurred for the vulnerability.

Common threat events include:

  • An exploit of the vulnerability
  • A posting of the vulnerability exploit code in a public repository
  • A discussion of the vulnerability in mainstream media
  • Security research about the vulnerability
  • A discussion of the vulnerability on social media channels
  • A discussion of the vulnerability on the dark web and underground
  • A discussion of the vulnerability on hacker forums

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.. Tenable.sc, Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.