When calculating a severity through CVSS, the (base) score is a representation of the intrinsic characteristics of a vulnerability that are constant over time and across user environments. It does not take the importance of the affected asset into account. This is where the environmental score comes into play.
The environmental score is the base score of a severity multiplied by environmental metric modifiers. Environmental metrics are used to contextualize the importance of the confidentiality, integrity, or availability of an asset to the organization. When calculating a severity using the CVSS calculator it uses the environmental score by default. The base score will only be used if the report does not have an associated asset or the asset does not have environmental metrics.
Example: Imagine a denial of service vulnerability is reported for an asset. The hacker selects a high impact on the availability of that asset. If the asset’s availability environmental metric is set to low, the score will be lower than when the availability environmental metric is set to medium or high.
To set the environmental metric for an asset:
Go to Program Settings > Program > Scope.
Edit an existing asset to change the environmental score by selecting the degree of importance for each component.
HackerOne supports the following environmental metric modifiers:
Not Defined
None
Low
Medium
High
The None modifier is not part of the official CVSS standard. This is part of HackerOne’s custom CVSS 3.0 implementation. Check out the table below to see how the environmental metric modifiers affect the severity subscores.
Environmental Metric | Modifier |
Not Assigned | x1.0 |
None | x0.0 |
Low | x0.5 |
Medium | x1.0 |
High | x1.5 |
The modifier is multiplied by the confidentiality, integrity, or availability subscore. The subscores together decide the final environmental score.
Note: "None" is only supported in Hackerone’s custom CVSS 3.0 implementation. In later versions, the “none” environmental metric is treated as “low” instead.