CVSS vs. VPR

Note: While Tenable Vulnerability Management calculates Severity metrics based off CVSS, Tenable Exposure Management bases them solely off of VPR. As such, you can expect a difference in Severity values between the two applications.

Tenable uses CVSS scores and a dynamic Tenable-calculated Vulnerability Priority Rating (VPR) to quantify the risk and urgency of a vulnerability.

Note: When you view these metrics on an analysis page organized by plugin (for example, the Vulnerabilities by Plugin page), the metrics represent the highest value assigned or calculated for a vulnerability associated with the plugin.

For Tenable Lumin-specific information about VPR and the other Tenable Lumin metrics, see Tenable Lumin Metrics.

CVSS

Tenable uses and displays third-party Common Vulnerability Scoring System (CVSS) values retrieved from the National Vulnerability Database (NVD) to describe risk associated with vulnerabilities. CVSS scores power a vulnerability's Severity and Risk Factor values.

Note: If a vulnerability's related plugin has CVSS vectors, the Risk Factor is calculated based on the CVSSv2 vector and equates to the CVSSv2 score Severity. If a plugin does not have CVSS vectors, Tenable independently calculates the Risk Factor.

Tenable Vulnerability Management imports a CVSS score every time a scan sees a vulnerability.

CVSS-Based Severity

Tenable assigns all vulnerabilities a severity (Info, Low, Medium, High, or Critical) based on the vulnerability's static CVSS score (the CVSS version depends on your configuration). For more information, see Configure Your Severity Metric.

Tenable Vulnerability Management analysis pages provide summary information about vulnerabilities using the following CVSS categories. For more information about the icons used for each severity, see Vulnerability Severity Indicators.

Caution: If the most severe CVE is a denial of service vulnerability, the overall score is based on the highest non-denial of service vulnerability. This nuance isn't something many people know, and is a frequent source of confusion.

Severity

CVSSv2 Range CVSSv3 Range CVSSv4 Range
Critical

The plugin's highest vulnerability CVSSv2 score is 10.0.

The plugin's highest vulnerability CVSSv3 score is between 9.0 and 10.0.

The plugin's highest vulnerability CVSSv4 score is between 9.0 and 10.0.
High The plugin's highest vulnerability CVSSv2 score is between 7.0 and 9.9. The plugin's highest vulnerability CVSSv3 score is between 7.0 and 8.9. The plugin's highest vulnerability CVSSv4 score is between 7.0 and 8.9.
Medium The plugin's highest vulnerability CVSSv2 score is between 4.0 and 6.9. The plugin's highest vulnerability CVSSv3 score is between 4.0 and 6.9. The plugin's highest vulnerability CVSSv4 score is between 4.0 and 6.9.
Low

The plugin's highest vulnerability CVSSv2 score is between 0.1 and 3.9.

The plugin's highest vulnerability CVSSv3 score is between 0.1 and 3.9.

The plugin's highest vulnerability CVSSv4 score is between 0.1 and 3.9.
Info

The plugin's highest vulnerability CVSSv2 score is 0.

- or -

The plugin does not search for vulnerabilities.

The plugin's highest vulnerability CVSSv3 score is 0.

- or -

The plugin does not search for vulnerabilities.

The plugin's highest vulnerability CVSSv3 score is 0.

- or -

The plugin does not search for vulnerabilities.

CVSS-Based Risk Factor

For each plugin, Tenable interprets CVSS scores for the vulnerabilities associated with the plugin and assigns an overall risk factor (Low, Medium, High, or Critical) to the plugin. The Vulnerability Details page shows the highest risk factor value for all the plugins associated with a vulnerability.

Note: Detection (non-vulnerability) plugins and some automated vulnerability plugins do not receive CVSS scores. In these cases, Tenable determines the risk factor based on vendor advisories.

Tip: Info plugins receive a risk factor of None. Other plugins without associated CVSS scores receive a custom risk factor based on information provided in related security advisories.

Vulnerability Priority Rating

Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the data provided by the vulnerability's CVSS score, since Tenable updates the VPR to reflect the current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher likelihood of exploit.

VPR Category VPR Range
Critical

9.0 to 10.0

High 7.0 to 8.9
Medium 4.0 to 6.9
Low

0.1 to 3.9

Note: Vulnerabilities without CVEs (for example, many vulnerabilities with the Info severity) do not receive a VPR. Tenable recommends remediating these vulnerabilities according to their CVSS-based severity.

Note: You cannot edit VPR values.

Tenable Vulnerability Management provides a VPR value the first time you scan a vulnerability on your network. Then, Tenable Vulnerability Management automatically provides new and updated VPR values daily.

Tenable recommends resolving vulnerabilities with the highest VPRs first. You can view VPR scores and summary data in:

VPR Key Drivers

Some key drivers that you can view to explain a vulnerability's VPR include, but are not limited to:

Note:Tenable does not customize these values for your organization; VPR key drivers reflect a vulnerability's global threat landscape.

Key Driver

Description
exploitChain

Exploit chain types (comma-separated list).

exploitCodeMaturity

Maturity level of exploit code: High, Functional, Proof of Concept, or Unproven.

exploitProbability

Probability of exploit as a percentage (0–100%).

inTheNewsIntensityLast30

News coverage intensity in the last 30 days: Very Low, Low, Medium, High, or Very High.

inTheNewsRecency

Recency of news coverage in days (formatted as ranges).

inTheNewsSourcesLast30

News sources in the last 30 days. Possible values include: Cyber News & Media, Cybersecurity Vendors, Security Research, Tools & Resources, Blogs & Individual Researchers, Mainstream News & Media, Government & Regulatory, Forums & Community Platforms, Academic & Research Institutions, Code Repositories, Technology Companies, and Other.

malwareObservationsIntensityLast30

Malware observation intensity in the last 30 days: Very Low, Low, Medium, High, or Very High.

malwareObservationsRecency

Recency of malware observations in days (formatted as ranges).

onCisaKev

Whether the vulnerability is on the CISA Known Exploited Vulnerabilities (KEV) list: Yes or No.

score

VPR score (numeric value with one decimal place).

targetedIndustries

List of industries targeted by the vulnerability (27 industry types available).

targetedRegions

List of regions targeted by the vulnerability (40+ regions available).

vprPercentile

VPR percentile ranking (0–100%).

vprSeverity

VPR severity level: Low, Medium, High, or Critical.

Threat Event Examples

Common threat events include:

  • An exploit of the vulnerability
  • A posting of the vulnerability exploit code in a public repository
  • A discussion of the vulnerability in mainstream media
  • Security research about the vulnerability
  • A discussion of the vulnerability on social media channels
  • A discussion of the vulnerability on the dark web and underground
  • A discussion of the vulnerability on hacker forums