Understanding the Rating Methodologies

Rating is a measurement of how much of a risk a certain vulnerability poses to the user’s business.

Black Duck strongly recommends that users utilize the Advanced Rating Methodology. This rating methodology allows sites and applications to be evaluated using the same standards. Reports based on the Advanced Rating Methodology use the same rating scale for both sites and applications. In addition, the Advanced Rating Methodology allows users to set priorities for their sites, which enables efficient prioritization and remediation of vulnerabilities according to business needs.

The Advanced Rating Methodology

In the Advanced Rating Methodology, sites and applications are evaluated in the same way, where the rating is based on Risk.

Risk

Risk includes the following factors:

Likelihood: How likely is it that a vulnerability will be exploited? This may be based on how widespread the knowledge of the vulnerability is, how easy it is to exploit, etc.
Impact: How much damage may be done to the user’s business if a vulnerability is exploited, as determined by the Threat Research Center.
Priority: (Sites only) How important this asset is to the user’s business. Setting a priority for a site is not required however, if no priority is set, priority will not be considered in the Risk calculations.

Likelihood is measured on a scale of 0-9.

	Skills Required	Level of Reward	Source of Threat	Required Access/Resources
0 (Low)	Penetration skills	None	Internal developers	Full access or expensive resources
1 (Low)	Penetration skills	Low	Internal admins	Special access
2 (Low)	Programming skills	Possible reward	Internal admins	Special access
3 (Medium)	Programming skills	Possible reward	Intranet users	Special access or resources
4 (Medium)	Advanced computer skills	Possible reward	Intranet users	Special access or resources
5 (Medium)	Computer skills	Possible high reward	Partners	Some access
6 (High)	Technical skills	Possible high reward	Authenticated users	Some access
7 (High)	Technical skills	Possible high reward	Anonymous internet users	Some access or resources
8 (High)	Technical skills	Possible high reward	Anonymous internet users	No access required
9 (High)	None	High	Anonymous internet users	No access or resources

Skills Required

Level of Reward

Source of Threat

Required Access/Resources

0 (Low)

Penetration skills

None

Internal developers

Full access or expensive resources

1 (Low)

Penetration skills

Low

Internal admins

Special access

2 (Low)

Programming skills

Possible reward

Internal admins

Special access

3 (Medium)

Programming skills

Possible reward

Intranet users

Special access or resources

4 (Medium)

Advanced computer skills

Possible reward

Intranet users

Special access or resources

5 (Medium)

Computer skills

Possible high reward

Partners

Some access

6 (High)

Technical skills

Possible high reward

Authenticated users

Some access

7 (High)

Technical skills

Possible high reward

Anonymous internet users

Some access or resources

8 (High)

Technical skills

Possible high reward

Anonymous internet users

No access required

9 (High)

None

High

Anonymous internet users

No access or resources

Impact is measured on a scale of 0-9.

	Data Disclosure	Data Corruption	Services Interrupted
0 (Low)	None	None	None
1 (Low)	None	Minimal slightly corrupt data	Minimal secondary services
2 (Low)	Minimal/Non-sensitive	Minimal slightly corrupt data	Minimal secondary services
3 (Medium)	Minimal/Non-sensitive	Minimal seriously corrupt data	Minimal secondary services
4 (Medium)	Minimal/Non-sensitive	Minimal seriously corrupt data	Minimal secondary services
5 (Medium)	Minimal/Non-sensitive	Extensive slightly corrupt data	Minimal primary services
6 (High)	Minimal sensitive data	Extensive slightly corrupt data	Minimal primary services
7 (High)	Extensive sensitive data	Extensive seriously corrupt data	Extensive secondary services
8 (High)	Extensive sensitive data	Extensive seriously corrupt data	Extensive primary services
9 (High)	All data	All data	All services

Data Disclosure

Data Corruption

Services Interrupted

0 (Low)

None

1 (Low)

None

Minimal slightly corrupt data

Minimal secondary services

2 (Low)

Minimal/Non-sensitive

Minimal slightly corrupt data

Minimal secondary services

3 (Medium)

Minimal/Non-sensitive

Minimal seriously corrupt data

Minimal secondary services

4 (Medium)

Minimal/Non-sensitive

Minimal seriously corrupt data

Minimal secondary services

5 (Medium)

Minimal/Non-sensitive

Extensive slightly corrupt data

Minimal primary services

6 (High)

Minimal sensitive data

Extensive slightly corrupt data

Minimal primary services

7 (High)

Extensive sensitive data

Extensive seriously corrupt data

Extensive secondary services

8 (High)

Extensive sensitive data

Extensive seriously corrupt data

Extensive primary services

9 (High)

All data

All services

Risk is measured by the combination of the likelihood and the net impact, which is the impact after taking site priority into consideration.

	Likelihood
Net Impact	Low Likelihood	Medium Likelihood	High Likelihood
Low Impact	Risk: Note	Low Risk	Medium Risk
Medium Impact	Low Risk	Medium Risk	High Risk
High Impact	Medium Risk	High Risk	Critical Risk

Likelihood

Net Impact

Low Likelihood

Medium Likelihood

High Likelihood

Low Impact

Risk: Note

Low Risk

Medium Risk

Medium Impact

Low Risk

Medium Risk

High Risk

High Impact

Medium Risk

High Risk

Critical Risk

In the Advanced Rating Methodology, all vulnerabilities are rated according to the Risk associated with the vulnerability for that asset. This is reflected in the Findings page, Dashboard, and in generated Reports.

The Legacy Rating Methodology

In the Legacy Rating Methodology, sites and applications are evaluated differently:

Sites are rated according to Severity.
Applications are rated according to Risk.

The Legacy Rating Methodology does not incorporate the site priority in its ratings.

Severity reflects the amount of damage that could be done to the user’s business if a particular vulnerability is exploited. Severity is described as informational, low, medium, high, critical, or urgent. An informational vulnerability reflects a situation where best practices may not be followed, but no actual vulnerability is currently present. In the Legacy Rating Methodology, vulnerabilities found on sites are rated according to the severity of the vulnerability. This is reflected in the Findings page, Dashboard, and in generated Reports.

In the Legacy Rating Methodology, the Rating shown in Reports and Dashboard is based on severity alone. If viewing a particular vulnerability on the Vulnerability Details page, the details displayed under Score. The Score is the combination of severity and threat.

Threat levels are rated zero to five:

Threat Levels
Rating	Threat Level	Description
5	Urgent	This is an easily exploited vulnerability, immediate remediation is recommended.
4	Critical	This is a commonly exploited vulnerability, priority remediation is recommended.
3	High	This is a regularly exploited vulnerability, priority remediation is recommended.
2	Medium	This is a moderately difficult vulnerability to exploit. Remediation is recommended.
1	Low	This is a difficult vulnerability to exploit. Remediation is recommended as possible.
0	Informational	This is an informational finding with negligible risk. Remediation is recommended as best practice.

Threat Levels

Rating

Threat Level

Description

Urgent

This is an easily exploited vulnerability, immediate remediation is recommended.

Critical

This is a commonly exploited vulnerability, priority remediation is recommended.

High

This is a regularly exploited vulnerability, priority remediation is recommended.

Medium

This is a moderately difficult vulnerability to exploit. Remediation is recommended.

Low

This is a difficult vulnerability to exploit. Remediation is recommended as possible.

Informational

This is an informational finding with negligible risk. Remediation is recommended as best practice.

To change your rating methodology, see Changing Your Rating Methodology.