When calculating severity through CVSS, the (base) score represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. It does not take the importance of the affected asset into account. This is where the environmental score comes into play.
The environmental score is the base score of a severity multiplied by environmental metric modifiers. Environmental metrics are used to contextualize the importance of the confidentiality, integrity, or availability of an asset to the organization. When calculating a severity using the CVSS calculator, it uses the environmental score by default. The base score will only be used if the report does not have an associated asset or the asset does not have environmental metrics.
Example: Imagine a denial-of-service vulnerability is reported for an asset. The hacker selects a high impact on the asset's availability. If the asset’s availability environmental metric is set to low, the score will be lower than when the availability environmental metric is set to medium or high.
To set the environmental metric for an asset:
Go to your assets at
https://hackerone.com/organizations/<org-handl>/assets.Click the kabob menu (three dots) to the right of the asset you want to edit, then click View overview.
Click the edit pencil to change the ratings.
HackerOne supports the following environmental metric modifiers:
Not Defined
None
Low
Medium
High
The None modifier is not part of the official CVSS standard. This is part of HackerOne’s custom CVSS 3.0 implementation. Check out the table below to see how the environmental metric modifiers affect the severity subscores.
Environmental Metric | Modifier |
Not Assigned | x1.0 |
None | x0.0 |
Low | x0.5 |
Medium | x1.0 |
High | x1.5 |
The modifier is multiplied by the confidentiality, integrity, or availability subscore. The subscores together decide the final environmental score.
Note: "None" is only supported in Hackerone’s custom CVSS 3.0 implementation. In later versions, the “none” environmental metric is treated as “low” instead.