How Your Vulnerability Ratings are Determined

The most significant factor in determining vulnerability rating is the Rating Methodology set for your account in the Continuous Dynamic Portal. Black Duck strongly recommends that users utilize the Advanced Rating Methodology, which allows sites and applications to be evaluated using the same standards and rating scale.

In addition, only those users using the Advanced Rating Methodology can set priorities for their sites, which enables efficient prioritization and remediation of vulnerabilities according to business needs.

The goal of rating a vulnerability is to provide a single measurement that will reflect:

  • Impact - The amount of damage that could be done if a given vulnerability is exploited.

  • Likelihood - How easily that vulnerability could be exploited.

  • Priority - (Sites only) How important this asset is to the user’s business.

If using the Advanced Rating Methodology users can also choose to set a Priority which is factored into the Impact set by Black Duck to produce a Net Impact.

Rating the Vulnerability

The Impact if no priority is set, or Net Impact is used along with the Likelihood to generate the Rating. The Likelihood associated with Directory Traversal is Low, so if we consult this table, also shown in Understanding the Rating Methodologies, we can see the results:

Likelihood

Net Impact

Low Likelihood

Medium Likelihood

High Likelihood

Low Impact

Risk: Note

Low Risk

Medium Risk

Medium Impact

Low Risk

Medium Risk

High Risk

High Impact

Medium Risk

High Risk

Critical Risk

If no Priority were set for either site, the vulnerability would have an Impact of High and a Likelihood of Low, and the final rating would be Medium.

Priority can have a significant impact on the Risk Rating given to a particular vulnerability on a particular asset, see "Understanding Asset Priority" for more details.