Learn about the methods and criteria Cyberbay uses to calculate the severity of bug reports, ensuring consistent and accurate evaluations.
How Cyberbay Determines Report Severity
The final severity of a bug report is determined by Cyberbay. While the initial notes provided by the hunter are helpful, the final severity rating is confirmed using the Common Vulnerability Scoring System (CVSS) and our internal validation processes. This ensures a consistent and accurate evaluation of each report.
Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of four metric groups: Base, Threat, Environmental, and Supplemental.
- Base Group: Represents the intrinsic qualities of a vulnerability that are constant over time and across user environments. These include factors such as the ease of exploitation and the impact on confidentiality, integrity, and availability.
- Threat Group: Reflects the characteristics of a vulnerability that change over time, such as the existence of active exploitation or the availability of patches.
- Environmental Group: Represents the characteristics of a vulnerability that are unique to a user’s environment, including the presence of mitigating controls and the importance of affected assets.
- Supplemental Group: Provides additional insight into the characteristics of a vulnerability but does not modify the final score.
Calculating the Severity Score
Base metric values are combined with default values that assume the highest severity for Threat and Environmental metrics to produce a score ranging from 0 to 10. To further refine a resulting severity score, Threat and Environmental metrics can then be amended based on applicable threat intelligence and environmental considerations.
A CVSS vector string consists of a compressed textual representation of the values used to derive the score. This comprehensive approach allows for a detailed and accurate assessment of each vulnerability’s severity.
For more detailed information on CVSS, you can refer to the official CVSS version 4.0 User Guide.
Cyberbay’s Internal Validation Processes
In addition to using CVSS, Cyberbay employs internal validation processes to ensure a consistent and accurate evaluation of each report. This includes:
- Review by Security Experts: Our team of security experts reviews each report to validate the findings and ensure the accuracy of the initial assessment.
- Cross-Referencing with Industry Standards: We cross-reference our findings with industry standards and threat intelligence to ensure comprehensive coverage of potential impacts.
- Continuous Improvement: We regularly update our validation processes to incorporate the latest best practices and threat intelligence.
By combining the structured approach of CVSS with our rigorous internal validation processes, we ensure that each report is accurately and consistently evaluated for severity.
Understanding how Cyberbay calculates report severity can help you better prepare and submit detailed bug reports, contributing to a more secure digital environment.
