CVSS v3.1 Equations

The CVSS v3.1 equations are defined below.

Base

The Base Score is a function of the Impact and Exploitability sub score equations. Where the Base score is defined as,

    If (Impact sub score <= 0)     0 else,
    Scope Unchanged4                 π‘…π‘œπ‘’π‘›π‘‘π‘’π‘(π‘€π‘–π‘›π‘–π‘šπ‘’π‘š[(πΌπ‘šπ‘π‘Žπ‘π‘‘ + 𝐸π‘₯π‘π‘™π‘œπ‘–π‘‘π‘Žπ‘π‘–π‘™π‘–π‘‘π‘¦), 10])
    Scope Changed                      π‘…π‘œπ‘’π‘›π‘‘π‘’π‘(π‘€π‘–π‘›π‘–π‘šπ‘’π‘š[1.08 × (πΌπ‘šπ‘π‘Žπ‘π‘‘ + 𝐸π‘₯π‘π‘™π‘œπ‘–π‘‘π‘Žπ‘π‘–π‘™π‘–π‘‘π‘¦), 10])

and the Impact sub score (ISC) is defined as,

    Scope Unchanged 6.42 × πΌπ‘†πΆBase
    Scope Changed 7.52 × [πΌπ‘†πΆπ΅π‘Žπ‘ π‘’ − 0.029] − 3.25 × [πΌπ‘†πΆπ΅π‘Žπ‘ π‘’ − 0.02]15

Where,

    πΌπ‘†πΆπ΅π‘Žπ‘ π‘’ = 1 − [(1 − πΌπ‘šπ‘π‘Žπ‘π‘‘πΆπ‘œπ‘›π‘“) × (1 − πΌπ‘šπ‘π‘Žπ‘π‘‘πΌπ‘›π‘‘π‘’π‘”) × (1 − πΌπ‘šπ‘π‘Žπ‘π‘‘π΄π‘£π‘Žπ‘–π‘™)]

 And the Exploitability sub score is,

    8.22 × π΄π‘‘π‘‘π‘Žπ‘π‘˜π‘‰π‘’π‘π‘‘π‘œπ‘Ÿ × π΄π‘‘π‘‘π‘Žπ‘π‘˜πΆπ‘œπ‘šπ‘π‘™π‘’π‘₯𝑖𝑑𝑦 × π‘ƒπ‘Ÿπ‘–π‘£π‘–π‘™π‘’π‘”π‘’π‘…π‘’π‘žπ‘’π‘–π‘Ÿπ‘’π‘‘ × π‘ˆπ‘ π‘’π‘ŸπΌπ‘›π‘‘π‘’π‘Ÿπ‘Žπ‘π‘‘π‘–π‘œπ‘›

Temporal

The Temporal score is defined as,

    π‘…π‘œπ‘’𝑛𝑑𝑒𝑝(π΅π‘Žπ‘ π‘’π‘†π‘π‘œπ‘Ÿπ‘’ × πΈπ‘₯π‘π‘™π‘œπ‘–π‘‘πΆπ‘œπ‘‘π‘’π‘€π‘Žπ‘‘π‘’π‘Ÿπ‘–π‘‘π‘¦ × π‘…π‘’π‘šπ‘’π‘‘π‘–π‘Žπ‘‘π‘–π‘œπ‘›πΏπ‘’π‘£π‘’π‘™ × π‘…π‘’π‘π‘œπ‘Ÿπ‘‘πΆπ‘œπ‘›π‘“π‘–π‘‘π‘’π‘›π‘π‘’)

Environmental

The environmental score is defined as,

    If (Modified Impact Sub score <= 0)     0 else,

    If Modified Scope is Unchanged           Round up(Round up (Minimum [ (M.Impact + M.Exploitability) ,10]) × Exploit Code Maturity × Remediation Level × Report Confidence)
    
    If Modified Scope is Changed               Round up(Round up (Minimum [1.08 × (M.Impact + M.Exploitability) ,10]) × Exploit Code Maturity × Remediation Level × Report Confidence)

And the modified Impact sub score is defined as,

    If Modified Scope is Unchanged 6.42 × [πΌπ‘†πΆπ‘€π‘œπ‘‘π‘–π‘“π‘–π‘’π‘‘]
    
    If Modified Scope is Changed 7.52 × [πΌπ‘†πΆπ‘€π‘œπ‘‘π‘–π‘“π‘–π‘’π‘‘ − 0.029]-3.25× [πΌπ‘†πΆπ‘€π‘œπ‘‘π‘–π‘“π‘–π‘’π‘‘ × 0.9731 − 0.02] 13

Where,
    πΌπ‘†πΆπ‘€π‘œπ‘‘𝑖𝑓𝑖𝑒𝑑 = π‘€π‘–π‘›π‘–π‘šπ‘’π‘š [[1 − (1 − 𝑀. πΌπΆπ‘œπ‘›π‘“ × πΆπ‘…) × (1 − 𝑀. 𝐼𝐼𝑛𝑑𝑒𝑔 × πΌπ‘…) × (1 − 𝑀. πΌπ΄π‘£π‘Žπ‘–π‘™ × π΄π‘…)], 0.915]

The Modified Exploitability sub score is,

    8.22 × π‘€. π΄π‘‘π‘‘π‘Žπ‘π‘˜π‘‰π‘’π‘π‘‘π‘œπ‘Ÿ × π‘€. π΄π‘‘π‘‘π‘Žπ‘π‘˜πΆπ‘œπ‘šπ‘π‘™π‘’π‘₯𝑖𝑑𝑦 × π‘€. π‘ƒπ‘Ÿπ‘–π‘£π‘–π‘™π‘’π‘”π‘’π‘…π‘’π‘žπ‘’π‘–π‘Ÿπ‘’π‘‘ × π‘€. π‘ˆπ‘ π‘’π‘ŸπΌπ‘›π‘‘π‘’π‘Ÿπ‘Žπ‘π‘‘π‘–π‘œn

4 Where “Round up” is defined as the smallest number, specified to one decimal place, that is equal to or higher than its input. For example, Round up (4.02) is 4.1; and Round up (4.00) is 4.0.