|
|
|||
|
|
|
|||
The Exploitability metrics reflect the ease and technical means by which the vulnerability can be exploited. That is, they represent characteristics of the thing that is vulnerable , which we refer to formally as the vulnerable component . On the other hand, the Impact metrics reflect the direct consequence of a successful exploit, and represent the consequence to the thing that suffers the impact , which we refer to formally as the impacted component .
While the vulnerable component is typically a software application, module, driver, etc. (or possibly even a hardware device), the impacted component could be a software application, a hardware device or a network resource. This potential for measuring the impact of a vulnerability other than the vulnerable component, is a key feature of CVSS v3.0. This property is captured, and further discussed by the Scope metric below.
I was hoping to get some clarification from FIRST on this (CC'ed), does "vulnerable component" mean a single thing only, or can it mean multiple components which intersect to create a vuln?
Also we should probably have some more cross pollination to determine/define these basic terms and make sure we're all on the same page (like what is hardware, e.g. FPGA's fit in where in this pile?).
