CVSS Scores vs. VPR

Tenable uses CVSS scores and a dynamic Tenable-calculated Vulnerability Priority Rating (VPR) to quantify the risk and urgency of a vulnerability.

CVSS

Tenable uses and displays third-party Common Vulnerability Scoring System (CVSS) values retrieved from the National Vulnerability Database (NVD) to describe risk associated with vulnerabilities. CVSS scores power a vulnerability's Severity and Risk Factor values.

Note: If a vulnerability's related plugin has CVSS vectors, the Risk Factor is calculated based on the CVSSv2 vector and equates to the CVSSv2 score Severity. If a plugin does not have CVSS vectors, Tenable independently calculates the Risk Factor.

CVSS-Based Severity

Tenable assigns all vulnerabilities a severity (Info, Low, Medium, High, or Critical) based on the vulnerability's static CVSS score (the CVSS version depends on your configuration). For more information, see Configure Default Severity.

Tenable Nessus analysis pages provide summary information about vulnerabilities using the following CVSS categories.

Severity

 CVSSv2 Range CVSSv3 Range
Critical

The plugin's highest vulnerability CVSSv2 score is 10.0.

The plugin's highest vulnerability CVSSv3 score is between 9.0 and 10.0.
High The plugin's highest vulnerability CVSSv2 score is between 7.0 and 9.9. The plugin's highest vulnerability CVSSv3 score is between 7.0 and 8.9.
Medium The plugin's highest vulnerability CVSSv2 score is between 4.0 and 6.9. The plugin's highest vulnerability CVSSv3 score is between 4.0 and 6.9.
Low

The plugin's highest vulnerability CVSSv2 score is between 0.1 and 3.9.

The plugin's highest vulnerability CVSSv3 score is between 0.1 and 3.9.
Info

The plugin's highest vulnerability CVSSv2 score is 0.

- or -

The plugin does not search for vulnerabilities.

The plugin's highest vulnerability CVSSv3 score is 0.

- or -

The plugin does not search for vulnerabilities.

CVSS-Based Risk Factor

For each plugin, Tenable interprets CVSS scores for the vulnerabilities associated with the plugin and assigns an overall risk factor (Low, Medium, High, or Critical) to the plugin. The Vulnerability Details page shows the highest risk factor value for all the plugins associated with a vulnerability.

Note: Detection (non-vulnerability) plugins and some automated vulnerability plugins do not receive CVSS scores. In these cases, Tenable determines the risk factor based on vendor advisories.

Tip: Info plugins receive a risk factor of None. Other plugins without associated CVSS scores receive a custom risk factor based on information provided in related security advisories.

Vulnerability Priority Rating

Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the data provided by the vulnerability's CVSS score, since Tenable updates the VPR to reflect the current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher likelihood of exploit.

VPR Category VPR Range
Critical

9.0 to 10.0
High 7.0 to 8.9
Medium 4.0 to 6.9
Low

0.1 to 3.9

Note: Vulnerabilities without CVEs (for example, many vulnerabilities with the Info severity) do not receive a VPR. Tenable recommends remediating these vulnerabilities according to their CVSS-based severity.

Note: You cannot edit VPR values.

Note: VPR scores shown in Nessus are static and do not update dynamically. You have to rescan to view the latest and most accurate VPR scores.

Tenable Nessus provides a VPR value the first time you scan a vulnerability on your network.

Tenable recommends resolving vulnerabilities with the highest VPRs first. You can view VPR scores and summary data in:

  • The VPR Top Threats for an individual scan, as described in View VPR Top Threats.
  • The Top 10 Vulnerabilities report for an individual scan. For information on creating the report, see Create a Scan Report.

VPR Key Drivers

You can view the following key drivers to explain a vulnerability's VPR.

Note:Tenable does not customize these values for your organization; VPR key drivers reflect a vulnerability's global threat landscape.

Key Driver

 Description
Age of Vuln

The number of days since the National Vulnerability Database (NVD) published the vulnerability.
CVSSv3 Impact Score

The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Tenable Nessus displays a Tenable-predicted score.
Exploit Code Maturity

The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code Maturity categories.

Product Coverage

The relative number of unique products affected by the vulnerability: Low, Medium, High, or Very High.

Threat Sources

A list of all sources (e.g., social media channels, the dark web, etc.) where threat events related to this vulnerability occurred. If the system did not observe a related threat event in the past 28 days, the system displays No recorded events.
Threat Intensity

The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very Low, Low, Medium, High, or Very High.
Threat Recency

The number of days (0-180) since a threat event occurred for the vulnerability.

Threat Event Examples

Common threat events include:

  • An exploit of the vulnerability
  • A posting of the vulnerability exploit code in a public repository
  • A discussion of the vulnerability in mainstream media
  • Security research about the vulnerability
  • A discussion of the vulnerability on social media channels
  • A discussion of the vulnerability on the dark web and underground
  • A discussion of the vulnerability on hacker forums