CVSS Scores vs. VPR
Tenable uses CVSS scores and a dynamic Tenable-calculated Vulnerability Priority Rating (VPR) to quantify the risk and urgency of a vulnerability.
Note: When you view these metrics on an analysis page organized by plugin (for example,
For Lumin-specific information about VPR and the other Lumin metrics, see Lumin Metrics.
Tenable uses and displays third-party Common Vulnerability Scoring System (CVSS) values retrieved from the National Vulnerability Database (NVD) to describe risk associated with vulnerabilities.
Tip: Risk Factor and Severity values are unrelated; they are calculated separately.
Tenable.io imports a CVSS score every time a scan sees a vulnerability.
Tenable assigns all vulnerabilities a severity (Info, Low, Medium, High, or Critical) based on the vulnerability's static CVSSv2 score
Tenable.io analysis pages provide summary information about vulnerabilities using the following CVSS categories.
The plugin's highest vulnerability CVSSv2 score is 10.0.
|High||The plugin's highest vulnerability CVSSv2 score is between 7.0 and 9.9.|
|Medium||The plugin's highest vulnerability CVSSv2 score is between 4.0 and 6.9.|
The plugin's highest vulnerability CVSSv2 score is between 0.1 and 3.9.
The plugin's highest vulnerability CVSSv2 score is 0.
- or -
The plugin does not search for vulnerabilities.
Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the data provided by the vulnerability's CVSS score, since Tenable updates the VPR to reflect the current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher likelihood of exploit.
|VPR Category||VPR Range|
9.0 to 10.0
|High||7.0 to 8.9|
|Medium||4.0 to 6.9|
0.1 to 3.9
Note: Vulnerabilities without CVEs in the National Vulnerability Database (NVD) (e.g., many vulnerabilities with the Info severity) do not receive a VPR. Tenable recommends remediating these vulnerabilities according to their CVSS-based severity.
Note: You cannot edit VPR values.
Tenable.io provides a VPR value the first time you scan a vulnerability on your network. Then, Tenable.io automatically provides new and updated VPR values daily.
Tenable recommends resolving vulnerabilities with the highest VPRs first.
- The Tenable-provided Vulnerability Management Overview dashboard
- The Vulnerabilities by Plugin plane
- The Vulnerabilities by Plugin (Classic) page
VPR Key Drivers
You can view the following key drivers to explain a vulnerability's VPR.
Note: Tenable does not customize these values for your organization; VPR key drivers reflect a vulnerability's global threat landscape.
|Age of Vuln||
The number of days since the National Vulnerability Database (NVD) published the vulnerability.
|CVSSv3 Impact Score||
The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Tenable.io displays a Tenable-predicted score.
|Exploit Code Maturity||
The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code Maturity categories.
The relative number of unique products affected by the vulnerability: Low, Medium, High, or Very High.
A list of all sources (e.g., social media channels, the dark web, etc.) where threat events related to this vulnerability occurred. If the system did not observe a related threat event in the past 28 days, the system displays No recorded events.
The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very Low, Low, Medium, High, or Very High.
The number of days (0-730) since a threat event occurred for the vulnerability.
Common threat events include:
- An exploit of the vulnerability
- A posting of the vulnerability exploit code in a public repository
- A discussion of the vulnerability in mainstream media
- Security research about the vulnerability
- A discussion of the vulnerability on social media channels
- A discussion of the vulnerability on the dark web and underground
- A discussion of the vulnerability on hacker forums