Vulnerability Response Effort
Vulnerability Response Effort v1.0.0
The intention of the Vulnerability Response Effort metric is to provide supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure. The consumer can then take this additional information on effort required into consideration when applying mitigations and/or scheduling remediation.
| Value | Definition |
|---|---|
| Not Defined | This metric value is not defined. See CVSS documentation for details. |
| Low | The effort required to respond to a vulnerability is low/trivial. |
| Moderate | The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement. |
| High | The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement). |
Vulnerability Response Effort v1.0.0 JSON Example
{
"namespace": "cvss",
"version": "1.0.0",
"schemaVersion": "1-0-1",
"key": "RE",
"name": "Vulnerability Response Effort",
"description": "The intention of the Vulnerability Response Effort metric is to provide supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure. The consumer can then take this additional information on effort required into consideration when applying mitigations and/or scheduling remediation.",
"values": [
{
"key": "X",
"name": "Not Defined",
"description": "This metric value is not defined. See CVSS documentation for details."
},
{
"key": "L",
"name": "Low",
"description": "The effort required to respond to a vulnerability is low/trivial."
},
{
"key": "M",
"name": "Moderate",
"description": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement."
},
{
"key": "H",
"name": "High",
"description": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)."
}
]
}