Automatable (CVSS)
Automatable v1.0.0
The "Automatable" metric captures the answer to the question "Can an attacker automate exploitation events for this vulnerability across multiple targets?" based on steps 1-4 of the kill chain.
| Value | Definition |
|---|---|
| No | Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation. |
| Yes | Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is "wormable"). |
| Not Defined | This metric value is not defined. See CVSS documentation for details. |
Automatable v1.0.0 JSON Example
{
"namespace": "cvss",
"version": "1.0.0",
"schemaVersion": "1-0-1",
"key": "AU",
"name": "Automatable",
"description": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.",
"values": [
{
"key": "N",
"name": "No",
"description": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
},
{
"key": "Y",
"name": "Yes",
"description": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")."
},
{
"key": "X",
"name": "Not Defined",
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
}
CVSS:Automatable vs SSVC:Automatable
The CVSS Automatable vector element was developed alongside the identically named Automatable decision point in SSVC. We intend for these two decision points to be interchangeable. The main difference is that the CVSS Automatable accomodates an explicit Not Defined value, whereas the SSVC Automatable does not.