HackerOne uses a custom implementation of CVSS 3.0. It is an adaptation of the official CVSS 3.0 standard. There are cases where the CVSS rating on HackerOne is vastly different from the CVSS calculator on first.org. The discrepancy in severity ratings isn’t a bug!
The CVSS calculator on first.org gives three different scores:
Base score
Temporal score
Environmental score
The CVSS score on HackerOne will be different from the CVSS scores on first.org because the score on HackerOne factors in BOTH the environmental score and the base score of the asset, whereas the scores on first.org are all separate.
Example: You may find that the severity score for an asset on HackerOne is 4.3, whereas the base score on first.org is 5.4, and the environmental score is 5.4. The score on HackerOne is different because the environmental score is calculated into the base score, whereas on first.org, the environmental score is listed separately from the base score.
How the Calculation Works
HackerOne doesn’t randomly put the environmental score and base scores together to get a total CVSS rating. A numeric modifier is applied to each metric of the environmental score (confidentiality, integrity, availability) in the CVSS calculator.
Note: The CVSS calculator also contains metrics from the environmental score.
Example: When calculating your environmental score for the asset test.com, you set the confidentiality to High. When either you or the program calculate the severity using the CVSS calculator on HackerOne, the 1.5 modifier for the Confidentiality metric is applied to the Confidentiality component in the CVSS calculator, which will give you a different score from the base score on first.org.
The following table shows what modifier is applied. The same table is used for all three metrics. Choosing a metric value of Medium or not choosing any value at all will not affect the base score.
Environmental Metric | Modifier |
Not Assigned | x1.0 |
None | x0.0 |
Low | x0.5 |
Medium | x1.0 |
High | x1.5 |
Our CVSS 3.0 Formula
Our custom implementation uses the following formula:
// Example For: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/CR:M/IR:L/AR:L
attack_vector = 0.85
attack_complexity = 0.77
privileges_required = 0.50
user_Interaction = 0.85
confidentiality = 0.56 * 1.0 // CR:M = 1.0
integrity = 0.56 * 0.5 // IR:L = 0.5
availability = 0.56 * 0.5 // AR:L = 0.5
EXPLOITABILITY_COEFFICIENT = 8.22
SCOPE_COEFFICIENT = 1.08
IMPACT_SCORE_BOUND = 0.915
base = 1.0 - ( (1.0 - metric_weight_for(Severity::CONFIDENTIALITY)) *
(1.0 - metric_weight_for(Severity::INTEGRITY)) *
(1.0 - metric_weight_for(Severity::AVAILABILITY)))
base = 1.0 - ((1.0 - 0.56) * (1.0 - 0.28) * (1.0 - 0.28)) = 0.7719
base = [base, IMPACT_SCORE_BOUND].min = 0.7719
// for scope changed
impact_subscore = 7.52 * (base - 0.029) - 3.25 * ((base - 0.02)**15.0)
impact_subscore = 7.52 * (0.7719 - 0.029) - 3.25 * ((0.7719 - 0.02)**15.0) = 5.5415
exploitability_subscore = 8.22 * 0.85 * 0.77 * 0.50 * 0.85 = 2.2865
subscores = impact_subscore + exploitability_subscore = 5.5415 + 2.2865 = 7.828
subscores *= SCOPE_COEFFICIENT if scope_changed? = 7.828 * 1.08 = 8.45
score = round_up([subscores, 10.0].min) = 8.45
final_score = [score, SCORE_UPBOUND[asset.max_severity]]min = [8.45, 8.9].min = 8.45
Environmental Score Components
As mentioned above, the three components that make up the environmental score are:
Confidentiality
Integrity
Availability
Confidentiality
Confidentiality refers to whether the data being obtained is actually confidential to the business. If a vulnerability were successfully exploited, this metric measures the impact of the confidentiality of the information at risk. To set the confidentiality level of the asset, you can choose from these four options:
Option | Details |
None | There's no loss of confidentiality within the impacted component. |
Low | There's some loss of confidentiality. Access to some restricted information is obtained, but the attacker doesn't have control over what information is obtained or the amount or kind of loss that's constrained. The information disclosed doesn't cause a direct, serious loss to the impacted component. |
Medium | In between Low and High. |
High | There's a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. |
Integrity
Integrity refers to the trustworthiness of information. This metric measures the impact on the integrity of a successfully exploited vulnerability. To set the integrity level of the asset, you can choose from these 4 options:
Option | Details |
None | There's no loss of integrity within the impacted component. |
Low | Modification of data is possible, but the attacker doesn't have control over the consequence of a modification. The amount of modification may be constrained, and there isn't a direct, serious impact on the affected component. |
Medium | In between Low and High. |
High | There's a total loss of integrity or a complete loss of protection due to the vulnerability. For example, the attacker can modify any or all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. |
Availability
Availability refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component. Choose from these four availability options:
Option | Details |
None | There's no loss of availability within the impacted component. |
Low | There's reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker can't completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the impacted component. |
Medium | In between Low and High. |
High | There's a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component. This loss is either sustained (the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has finished). Alternatively, the attacker can deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component. For example, the attacker can't disrupt existing connections but can prevent new connections. The attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks only a small amount of memory, but after repeated exploitation, causes a service to become completely unavailable. |
Severity Caps
The affected asset in the report may have a maximum severity. In this case, the calculator will automatically cap the score and severity rating. The presence of a maximum severity will be indicated in the severity calculator.