Recently Viewed Topics
Severity vs. VPR
Tenable uses a static Severity and a dynamic Vulnerability Priority Rating (VPR) to quantify how urgently you should remediate a vulnerability. For more information, see:
When you view these metrics on an analysis page organized by plugin (e.g.,
Tenable assigns all vulnerabilities a static severity based on the vulnerability's CVSSv2 score.
Tenable.io imports severity values every time you run a scan.
Tenable.io analysis pages provide summary information about vulnerabilities using the following severity categories.
The plugin's highest vulnerability CVSSv2 score is 10.0.
|High||The plugin's highest vulnerability CVSSv2 score is between 7.0 and 9.9.|
|Medium||The plugin's highest vulnerability CVSSv2 score is between 4.0 and 6.9.|
The plugin's highest vulnerability CVSSv2 score is between 0.1 and 3.9.
The plugin's highest vulnerability CVSSv2 score is 0.
- or -
The plugin does not search for vulnerabilities.
Tenable calculates a dynamic Vulnerability Priority Rating (VPR) for most vulnerabilities. The VPR is a dynamic companion to the static data provided by the vulnerability's CVSSv2 score and severity, since Tenable updates the VPR to reflect the current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher likelihood of exploit.
Note: Vulnerabilities without NVD-published CVEs (e.g., many vulnerabilities with Severity: Info) do not receive a VPR. Tenable recommends remediating these vulnerabilities according to their CVSS-based severity.
Tenable.io imports new and updated VPR values every time you run a scan.
Tenable recommends resolving vulnerabilities with the highest VPRs first. You can view VPR scores and summary data in:
- The Tenable-provided Vulnerability Management Overview dashboard
- The Vulnerabilities by Plugin plane
- The Vulnerabilities by Plugin (Classic) page
VPR Key Drivers
Tenable uses the following key drivers to calculate a vulnerability's VPR.
|Age of Vuln||The number of days since the National Vulnerability Database (NVD) published the vulnerability.|
|CVSSv3 Impact Score||The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Tenable.io displays a Tenable-predicted score.|
|Exploit Code Maturity||The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code Maturity categories.|
|Product Coverage||The relative number of unique products affected by the vulnerability: Low, Medium, High, or Very High.|
|Threat Sources||A list of all sources (e.g., social media channels, the dark web, etc.) where threat events related to this vulnerability occurred. If the system did not observe a related threat event in the past 28 days, the system displays No recorded events.|
|Threat Intensity||The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very Low, Low, Medium, High, or Very High.|
|Threat Recency||The number of days (0-730) since a threat event occurred for the vulnerability.|
Common threat events include:
- An exploit of the vulnerability
- A posting of the vulnerability exploit code in a public repository
- A discussion of the vulnerability in mainstream media
- Security research about the vulnerability
- A discussion of the vulnerability on social media channels
- A discussion of the vulnerability on the dark web and underground
- A discussion of the vulnerability on hacker forums