CVSS v3.1 Equations
The CVSS v3.1 equations are defined below.
Base
The Base Score is a function of the Impact and Exploitability sub score equations. Where the Base score is defined as,
If (Impact sub score <= 0) 0 else,
Scope Unchanged4 π
ππ’πππ’π(ππππππ’π[(πΌπππππ‘ + πΈπ₯πππππ‘ππππππ‘π¦), 10])
Scope Changed π
ππ’πππ’π(ππππππ’π[1.08 × (πΌπππππ‘ + πΈπ₯πππππ‘ππππππ‘π¦), 10])
and the Impact sub score (ISC) is defined as,
Scope Unchanged 6.42 × πΌππΆBase
Scope Changed 7.52 × [πΌππΆπ΅ππ π − 0.029] − 3.25 × [πΌππΆπ΅ππ π − 0.02]15
Where,
πΌππΆπ΅ππ π = 1 − [(1 − πΌπππππ‘πΆπππ) × (1 − πΌπππππ‘πΌππ‘ππ) × (1 − πΌπππππ‘π΄π£πππ)]
And the Exploitability sub score is,
8.22 × π΄π‘π‘πππππππ‘ππ × π΄π‘π‘ππππΆππππππ₯ππ‘π¦ × ππππ£ππππππ
πππ’ππππ × ππ πππΌππ‘πππππ‘πππ
Temporal
The Temporal score is defined as,
π
ππ’πππ’π(π΅ππ ππππππ × πΈπ₯πππππ‘πΆππππππ‘π’πππ‘π¦ × π
πππππππ‘ππππΏππ£ππ × π
πππππ‘πΆπππππππππ)
Environmental
The environmental score is defined as,
If (Modified Impact Sub score <= 0) 0 else,
If Modified Scope is Unchanged Round up(Round up (Minimum [ (M.Impact + M.Exploitability) ,10]) × Exploit Code Maturity × Remediation Level × Report Confidence)
If Modified Scope is Changed Round up(Round up (Minimum [1.08 × (M.Impact + M.Exploitability) ,10]) × Exploit Code Maturity × Remediation Level × Report Confidence)
And the modified Impact sub score is defined as,
If Modified Scope is Unchanged 6.42 × [πΌππΆππππππππ]
If Modified Scope is Changed 7.52 × [πΌππΆππππππππ − 0.029]-3.25× [πΌππΆππππππππ × 0.9731 − 0.02] 13
Where,
πΌππΆππππππππ = ππππππ’π [[1 − (1 − π. πΌπΆπππ × πΆπ
) × (1 − π. πΌπΌππ‘ππ × πΌπ
) × (1 − π. πΌπ΄π£πππ × π΄π
)], 0.915]
The Modified Exploitability sub score is,
8.22 × π. π΄π‘π‘πππππππ‘ππ × π. π΄π‘π‘ππππΆππππππ₯ππ‘π¦ × π. ππππ£ππππππ
πππ’ππππ × π. ππ πππΌππ‘πππππ‘ππn
4 Where “Round up” is defined as the smallest number, specified to one decimal place, that is equal to or higher than its input. For example, Round up (4.02) is 4.1; and Round up (4.00) is 4.0.