Common Vulnerabilities and Exposure (CVE) is extensively used as a source of known vulnerabilities. Hexagon utilizes the Common Vulnerability Scoring System (CVSS) to analyze and score the severity of detected vulnerabilities. The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. For specific documentation for CVE and CVSS, see Common Vulnerabilities and Exposure and Common Vulnerability Scoring System.
Hexagon uses the CVSS standard to determine the severity of computer security vulnerabilities and it consists of three different metric groups:
-
Base Metric Group
-
Temporal Metric Group
-
Environmental Metric Group
The CVSS ranks the severity of security vulnerabilities on a scale of 0.0 - 10.0. Each score range is classified using a severity rating of either None, Low, Medium, High, or Critical, as shown in the following table:
Severity Rating |
CVSS Score |
---|---|
None |
0.0 |
Low |
0.1 - 3.9 |
Medium |
4.0 - 6.9 |
High |
7.0 - 8.9 |
Critical |
9.0 - 10.0 |
Where a Common Vulnerability and Exposure public record is not listed, Hexagon uses a CVSS calculator to manually review and score any security issues. Hexagon ALI classifies a security vulnerability as Critical using the CVSS score of 9.0 or higher.