You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The environmental score enables you to set the maximum [severity](severity.html) of an asset. It’s determined by setting impact levels to these 3 components:
7
+
The environmental score customizes the [severity](severity.html) of a vulnerability to an asset specific to the program’s organization. Setting this score enables you to see how severe the vulnerability to an asset is to your organization. It’s determined by setting impact levels to these 3 metrics:
8
8
* Confidentiality
9
9
* Integrity
10
10
* Availability
11
-
12
-
<i>You can read more on these components in the section below on <b>Environmental Score Components</b>.</i>
11
+
<i>You can read more on these metrics in the section below on <b>Environmental Score Components</b>.</i>
13
12
14
13
To set the environmental score for an asset:
15
14
1. Go to <b>Settings > Program > Scope</b>.
16
15
2. Edit an existing asset to change the environmental score by selecting the degree of importance (None, Low, Medium, High) to each component.
17
16
17
+
### Effects to the CVSS v.3 Calculator on HackerOne
18
+
There are cases where the CVSS rating on HackerOne is vastly different from the CVSS calculator on [first.org](https://www.first.org/cvss/calculator/3.0). The discrepancy in severity ratings isn’t a bug!
19
+
20
+
The CVSS calculator on first.org gives 3 different scores. The different scores are the:
21
+
* Base score
22
+
* Temporal score
23
+
* Environmental score
24
+
25
+
The CVSS score on HackerOne will be different from the CVSS scores on first.org because the score on HackerOne factors in <b>BOTH the environmental score and the base score</b> of the asset, whereas the scores on first.org are all separate.
26
+
27
+
<i>For example, you may find that the severity score for an asset on HackerOne is 4.3, whereas the base score on first.org is 5.4 and the environmental score is 5.4. The score on HackerOne is different because the environmental score is calculated into the base score, whereas on first.org, the environmental score is listed separately from the base score.</i>
28
+
29
+
#### How the Calculation Works
30
+
HackerOne doesn’t randomly put the environmental score and the base score together to get a total CVSS rating. Whatever value is selected for each metric of the environmental score (confidentiality, integrity, availability), a numeric modifier is applied to that metric in the CVSS calculator. (<i>Note: The CVSS calculator also contains metrics from the environmental score.</i>)
31
+
32
+
<i>For example, when calculating your environmental score for the asset `test.com`, you set the confidentiality to be High. When either you or a hacker calculate the severity using the CVSS calculator on HackerOne, the 1.5 modifier for the Confidentiality metric is applied to the Confidentiality component in the CVSS calculator, which will give you a different score from the base score on first.org.</i>
33
+
34
+
The following table shows what modifier is applied. The same table is used for all 3 metrics. Note that choosing a metric value of Medium or not choosing any value at all will have no effect on the base score.
35
+
36
+
Metric Value | Modifier Value | Details
37
+
------------ | -------------- | --------
38
+
High | 1.5 | Loss of Confidentiality/Integrity/Availability is likely to have a catastrophic, adverse effect on the organization or individuals associated with the organization.
39
+
Medium | 1 | Loss of Confidentiality/Integrity/Availability is likely to have a serious adverse effect on the organization or individuals associated with the organization.
40
+
Low | 0.5 | Loss of Confidentiality/Integrity/Availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization.
41
+
None | 0 | Loss of Confidentiality/Integrity/Availability is likely to have no adverse effect on the organization or individuals associated with organization.
42
+
18
43
### Effects to Severity
19
-
Setting an environmental score for an asset caps the CVSS severity rating when a hacker calculates the severity for the asset in the submission report. The maximum severity a hacker can set for the asset is shown in the <b>Maximum severity</b> field.
44
+
Setting an environmental score for an asset also caps the CVSS severity rating when a hacker calculates the severity for the asset in the submission report. The maximum severity a hacker can set for the asset is shown in the <b>Maximum severity</b> field.
20
45
21
46
For example: A program sets all 3 environmental score requirements to be None/Low for the asset `test.com` so that the maximum severity is set to None.
22
47
23
48
The hacker now can’t set the CVSS score for `test.com` to be Critical or High when submitting a report, even though the hacker selected all of the highest ratings on the CVSS calculator.
24
49
25
-
### Difference Between CVSS
26
-
There are cases where the CVSS rating in HackerOne is vastly different from the actual CVSS site. For instance, a hacker can calculate the CVSS rating when submitting a report in HackerOne, only to find that the actual CVSS site gives a different severity score.
27
-
28
-
The discrepancy in severity ratings isn’t a mistake. The CVSS site gives a generic calculation for severity, whereas an asset with an environmental score in HackerOne will give a severity score that is specific to that particular asset in that program, and so, the severity score given in the product is going to be different from the score on the CVSS site.
29
-
30
50
### Environmental Score Components
31
51
As mentioned above, the 3 components that make up the environmental score are:
0 commit comments