Value Density (CVSS)
Value Density v1.0.0
Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated.
| Value | Definition |
|---|---|
| Not Defined | This metric value is not defined. See CVSS documentation for details. |
| Diffuse | The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small. |
| Concentrated | The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of "system operators" rather than users. |
Value Density v1.0.0 JSON Example
{
"namespace": "cvss",
"version": "1.0.0",
"schemaVersion": "1-0-1",
"key": "V",
"name": "Value Density",
"description": "Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated.",
"values": [
{
"key": "X",
"name": "Not Defined",
"description": "This metric value is not defined. See CVSS documentation for details."
},
{
"key": "D",
"name": "Diffuse",
"description": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small."
},
{
"key": "C",
"name": "Concentrated",
"description": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users."
}
]
}
CVSS:Value Density vs SSVC:Value Density
The CVSS Value Density vector element was developed alongside the identically named Value Density decision point in SSVC. We intend for these two decision points to be interchangeable. The main difference is that the CVSS Value Density accomodates an explicit Not Defined value, whereas the SSVC Value Density does not.