What is the Severity?
5 months ago by
This concept is based on CVSS but is applied also where no full CVSS Base Vector is available. For example, arbitrary values in that range are applied for Overrides and used by OSP scanners even without a vector definition.
Comparison, weighting, priorisation is possible of any scan results or NVTs because the severity concept is strictly applied across the entire system. Not a single severity is just expressed as “High” for example. Any new NVT is assigned with a full CVSS vector even if CVE does not offer one and any results of OSP scanners is assigned a adequate severity value even if the respective scanner uses a different severity scheme.
The severity classes None, Low, Medium and High are defined by sub-ranges of the main range 0.0-10.0. Users can select to use different classifications. The default is the NVD classification which is the most commonly used one.
Scan results are assigned a severity while achieved. The severity of the related NVT may change over time though. Users can select Dynamic Severity to let the system always use the most current severity of NVTs for the results.
Please login to add an answer/comment or follow this question.