Understanding the Rating Methodologies
Rating is a measurement of how much of a risk a certain vulnerability poses to the user’s business.
| Synopsys strongly recommends that users utilize the Advanced Rating Methodology. This rating methodology allows sites and applications to be evaluated using the same standards. Reports based on the Advanced Rating Methodology use the same rating scale for both sites and applications. In addition, the Advanced Rating Methodology allows users to set priorities for their sites, which enables efficient prioritization and remediation of vulnerabilities according to business needs. |
The Advanced Rating Methodology
In the Advanced Rating Methodology, sites and applications are evaluated in the same way, where the rating is based on Risk.
Risk
Risk includes the following factors:
-
Likelihood: How likely is it that a vulnerability will be exploited? This may be based on how widespread the knowledge of the vulnerability is, how easy it is to exploit, etc.
-
Impact: How much damage may be done to the user’s business if a vulnerability is exploited, as determined by the Threat Research Center.
-
Priority: (Sites only) How important this asset is to the user’s business. Setting a priority for a site is not required however, if no priority is set, priority will not be considered in the Risk calculations.
Risk is measured by the combination of the likelihood and the net impact, this is based on the impact and priority of any vulnerability associated with this asset.
Likelihood |
|||
|---|---|---|---|
Net Impact |
Low Likelihood |
Medium Likelihood |
High Likelihood |
Low Impact |
Risk: Note |
Low Risk |
Medium Risk |
Medium Impact |
Low Risk |
Medium Risk |
High Risk |
High Impact |
Medium Risk |
High Risk |
Critical Risk |
In the Advanced Rating Methodology, all vulnerabilities are rated according to the Risk associated with the vulnerability for that asset. This is reflected in the Findings page, Dashboard, and in generated Reports.
The Legacy Rating Methodology
In the Legacy Rating Methodology, sites and applications are evaluated differently:
-
Sites are rated according to Severity.
-
Applications are rated according to Risk.
| The Legacy Rating Methodology does not incorporate the site priority in its ratings. |
Severity reflects the amount of damage that could be done to the user’s business if a particular vulnerability is exploited. Severity is described as informational, low, medium, high, critical, or urgent. An informational vulnerability reflects a situation where best practices may not be followed, but no actual vulnerability is currently present. In the Legacy Rating Methodology, vulnerabilities found on sites are rated according to the severity of the vulnerability. This is reflected in the Findings page, Dashboard, and in generated Reports.
| In the Legacy Rating Methodology, the Rating shown in Reports and Dashboard is based on severity alone. If viewing a particular vulnerability on the Vulnerability Details page, the details displayed under Score. The Score is the combination of severity and threat. |
Threat levels are rated zero to five:
| Threat Levels | ||
|---|---|---|
Rating |
Threat Level |
Description |
5 |
Urgent |
This is an easily exploited vulnerability, immediate remediation is recommended. |
4 |
Critical |
This is a commonly exploited vulnerability, priority remediation is recommended. |
3 |
High |
This is a regularly exploited vulnerability, priority remediation is recommended. |
2 |
Medium |
This is a moderately difficult vulnerability to exploit. Remediation is recommended. |
1 |
Low |
This is a difficult vulnerability to exploit. Remediation is recommended as possible. |
0 |
Informational |
This is an informational finding with negligible risk. Remediation is recommended as best practice. |
To change your rating methodology, see Changing Your Rating Methodology.