Our platform features a built-in CVSS (Common Vulnerability Scoring System) calculator to help you assess the severity of vulnerabilities. By default, it uses CVSS 3.0. You can switch to CVSS 4.0 at any time to take advantage of more granular and accurate scoring, ensuring alignment with industry-standard risk evaluation practices.
Key takeaways:
The Intigriti platform uses a CVSS calculator for severity assessment; CVSS 3.0 is the default.
CVSS 4.0 is available as an alternative, offering enhanced scoring precision.
The CVSS calculator is used during submission triage to determine severity.
Company administrators can modify the CVSS version in the Admin settings for all programs.
Switching CVSS versions only affects future submissions.
Who this article is for: Company admins, security teams, and anyone involved in triaging and assessing vulnerabilities on the Intigriti platform.
What is CVSS?
The Common Vulnerability Scoring System (CVSS) is a global open standard for assigning a numerical score to a vulnerability to convey its severity. This score helps organizations prioritize remediation efforts.
Intigriti's CVSS Calculator
To standardize and simplify severity assessment, our platform includes an integrated CVSS calculator. When triaging a submission, you can use this tool to input various metrics related to the vulnerability, which then generates a severity score (e.g., Low, Medium, High, Critical) and a CVSS vector string. Currently, our platform defaults to using the CVSS 3.0 model for all calculations unless CVSS 4.0 is explicitly enabled.
How to use the severity calculator on Intigriti?
The severity calculator is typically accessed when you are triaging a vulnerability submission.
The specific metrics available will differ slightly depending on whether CVSS 3.0 or CVSS 4.0 is active.
How to select a CVSS version
Navigate to your company's Admin settings section.
Click “Edit” on severity assessment .
You can select CVSS 3.0 (the default) or CVSS 4.0
Save the changes.
Important considerations: This configuration is set at the company level. Once switched, all programs within your organization will use CVSS 4.0 for new assessments. The program severity assessment placeholder is now replaced by a link to the Triage standards, which will be updated to reflect CVSS 4.0 guidance.
Impact of switching to CVSS 4.0
New submission: All new vulnerability submissions received after your change will use the selected calculator for their severity assessment.
Duplicate submissions: In case of a duplicate submission, the severity vector and level from the parent submission will be copied to the child submission. This change will be logged in the submission activity thread for transparency.
CVSS 4.0 builds upon its predecessor with several key enhancements:
More granular metrics: It introduces new metrics and refines existing ones to capture a more detailed picture of the vulnerability's characteristics.
Supplemental metrics: CVSS 4.0 includes supplemental metrics (e.g., Safety, Automatability, Recovery, Value Density, Vulnerability Response Effort) that are not directly part of the score calculation but provide crucial context for risk assessment.
Clarity and accuracy: The framework aims to reduce ambiguity and provide a score that more accurately reflects the real-world impact of a vulnerability. By choosing CVSS 4.0, your organization can benefit from these advancements for more precise evaluations and better-aligned rewards for researchers.
Related Resources