Configure Your Default Severity Base

Note: By default, new installations of Tenable Nessus use CVSSv3 scores (when available) to calculate severity for vulnerabilities. Preexisting, upgraded installations retain the previous default of CVSSv2 scores.

In Tenable Nessus scanners and Tenable Nessus Professional, you can choose whether Tenable Nessus calculates the severity of vulnerabilities using CVSSv2 or CVSSv3 scores (when available) by configuring your default severity base setting. In Tenable Nessus scanners and Tenable Nessus Professional, you can choose whether Tenable Nessus calculates the severity of vulnerabilities using CVSSv2, CVSSv3, or CVSSv4 scores (when available) by configuring your default severity base setting. When you change the default severity base, the change applies to all existing scans that are configured with the default severity base. Future scans also use the default severity base.

You can also configure individual scans to use a particular severity base, which overrides the default severity base for that scan, as described in Configure the Severity Base for an Individual Scan.

For more information about CVSS scores and severity ranges, see CVSS Scores vs. VPR.

Note: You cannot configure the default severity base in Tenable Nessus Manager.

To configure your default severity base:

  1. In the top navigation bar, click Settings.

    The About page appears.

  2. In the left navigation bar, click Advanced.

    The Advanced Settings page appears.

  3. Click the Scanning tab.

    The scanning advanced settings appear.

  4. In the table, click the row for the System Default Severity Basis setting.

    Tip: Use the search bar to search for any part of the setting name.

    The setting configuration window appears.

  5. In the Value drop-down box, select CVSS v2.0, CVSS v3.0, or CVSS v4.0 for your default severity base.

  6. Click Save.

    Tenable Nessus updates the default severity base for your instance. Existing scans with the default severity base update to reflect the new default. Individual scans with overridden severity bases do not change.