Skip to content

CVSS v4 Equivalence Set EQ5

Here we describe an example decision model for an analyst assessing the CVSS v4 equivalence set EQ5.

Analyst Units of Work

Analyst Unit of Work

The unit of work for an Analyst is a single vulnerability report.

Analysts are usually tasked with assessing the CVSS score for an individual vulnerability report.

Analyst Decision Outcomes

The analyst's decision is to choose the appropriate level for CVSS v4 EQ5.

Equivalence Set 5 (cvss:EQ5:1.0.0)

E with 3 levels specified in Table 28

Value Definition
Low (L) 2: E:U
Medium (M) 1: E:P
High (H) 0: E:A
Equivalence Set 5 (cvss:EQ5:1.0.0) JSON Example 
{
  "namespace": "cvss",
  "key": "EQ5",
  "version": "1.0.0",
  "name": "Equivalence Set 5",
  "description": "E with 3 levels specified in Table 28",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "L",
      "name": "Low",
      "description": "2: E:U"
    },
    {
      "key": "M",
      "name": "Medium",
      "description": "1: E:P"
    },
    {
      "key": "H",
      "name": "High",
      "description": "0: E:A"
    }
  ]
}

Analyst Decision Points

Exploit Maturity (without Not Defined) (cvss:E_NoX:2.0.0)

This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.

Value Definition
Unreported (U) Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)
Proof-of-Concept (P) Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)
Attacked (A) Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)
Exploit Maturity (without Not Defined) (cvss:E_NoX:2.0.0) JSON Example 
{
  "namespace": "cvss",
  "key": "E_NoX",
  "version": "2.0.0",
  "name": "Exploit Maturity (without Not Defined)",
  "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "U",
      "name": "Unreported",
      "description": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
    },
    {
      "key": "P",
      "name": "Proof-of-Concept",
      "description": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
    },
    {
      "key": "A",
      "name": "Attacked",
      "description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
    }
  ]
}

Analyst Decision Model

Below we provide an example deployer prioritization policy that maps the decision points just listed to the outcomes described above.

Decision Model Visualization

The following diagram shows the decision model for the EQ5 decision.

---
title: CVSS v4 Equivalence Set 5 Decision Table (cvss:DT_CVSS_EQ5:1.0.0)
---
graph LR
n1(( ))
subgraph s1["cvss:E_NoX:2.0.0"]
U_L0([U])
P_L0([P])
A_L0([A])
end
subgraph s2["cvss:EQ5:1.0.0"]
U_L_L1([L])
P_M_L1([M])
A_H_L1([H])
end
n1 --- U_L0
n1 --- P_L0
n1 --- A_L0
U_L0 --- U_L_L1
P_L0 --- P_M_L1
A_L0 --- A_H_L1

Table of Values

The table below shows the values for the decision model. Each row of the table corresponds to a path through the decision model diagram above.

Row Exploit Maturity (without Not Defined) v2.0.0 (cvss) Equivalence Set 5 v1.0.0 (cvss)
0 unreported low
1 proof-of-concept medium
2 attacked high