When calculating a severity through CVSS, the (base) score is a representation of the intrinsic characteristics of a vulnerability that are constant over time and across user environments. It does not take the importance of the affected asset into account. This is where the environmental score comes into play.
The environmental score is the base score of a severity multiplied by environmental metric modifiers. Environmental metrics are used to contextualize the importance of the confidentiality, integrity, or availability of an asset to the organization. When calculating a severity using the CVSS calculator it uses the environmental score by default. The base score will only be used if the report does not have an associated asset or the asset does not have environmental metrics.
To set the environmental metric for an asset:
Go to Program Settings > Program > Scope.
Edit an existing asset to change the environmental score by selecting the degree of importance for each component.
HackerOne supports the following environmental metric modifiers:
The None modifier is not part of the official CVSS standard. This is part of HackerOne’s custom CVSS 3.0 implementation. Check out the table below to see how the environmental metric modifiers affect the severity subscores.
The modifier is multiplied by the confidentiality, integrity, or availability subscore. The subscores together decide the final environmental score.