Configure Your Default Severity Base

Note: By default, new installations of Nessus use CVSSv3 scores (when available) to calculate severity for vulnerabilities. Preexisting, upgraded installations retain the previous default of CVSSv2 scores.

In Nessus scanners and Nessus Professional, you can choose whether Nessus calculates the severity of vulnerabilities using CVSSv2 or CVSSv3 scores (when available) by configuring your default severity base setting. When you change the default severity base, the change applies to all existing scans that are configured with the default severity base. Future scans also use the default severity base.

You can also configure individual scans to use a particular severity base, which overrides the default severity base for that scan, as described in Configure Severity Base for an Individual Scan.

For more information about CVSS scores and severity ranges, see CVSS Scores vs. VPR.

To configure your default severity base:

  1. In the top navigation bar, click Settings.

    The About page appears.

  2. In the left navigation bar, click Advanced.

    The Advanced Settings page appears.

  3. Click the Scanning tab.

    The scanning advanced settings appear.

  4. In the table, click the row for the System Default Severity Basis setting.

    Tip: Use the search bar to search for any part of the setting name.

    The setting configuration window appears.

  5. In the Value drop-down box, select CVSS v2.0 or CVSS v3.0 for your default severity base.

  6. Click Save.

    Nessus updates the default severity base for your instance. Existing scans with the default severity base update to reflect the new default. Individual scans with overriden severity bases do not change.