New in 2.6: Intelligent CVSS Scoring for Unknown Vulnerabilities

Lakshmia Ferba
September 7, 2023
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

In Mayhem 2.6, we have released a cool feature: Intelligent CVSS scoring for unknown vulnerabilities. In this blog post, I’ll go over what CVSS is and how Mayhem leverages it to prioritize your results.

What is CVSS and How Does It Work?

CVSS, or the Common Vulnerability Scoring System, is a framework used to measure the severity of security vulnerabilities in computer systems. It provides a standardized way to assess and compare the impact of different vulnerabilities.

CVSS uses three main components to calculate a vulnerability's score:

  1. Base Score: Represents the intrinsic qualities of the vulnerability.
  2. Temporal Score: Reflects the vulnerability's characteristics over time.
  3. Environmental Score: Customizes the score based on your specific environment.

The Base Score consists of several metrics, including:

  • Attack Vector
  • Attack Complexity
  • Privileges Required
  • User Interaction
  • Scope
  • Confidentiality, Integrity, and Availability Impact

The Temporal Score considers factors like:

  • Exploitability
  • Remediation Level
  • Report Confidence

Long story short, the Common Vulnerability Scoring System, or CVSS, is a vital tool for assessing and managing security vulnerabilities. 

How Mayhem Uses CVSS to Help You Prioritize Results

Mayhem has integrated CVSS into the system so that you can get the most accurate information with each run.

While Mayhem has always provided automatic triage, with a rating of low, medium, or high priority for each defect, we now provide a numbered score, seen in the parenthesis beside each rating. 

Mayhem’s CVSS Scoring in Action

In this instance, we have 4 medium-risk defects and one high-risk defect, and you should prioritize the Authentication Bypass defect (High 7.8) before working your way through the medium-risk defects.

The severity score seen in the Mayhem dashboard comes directly from the CWE database. As you can see, we have linked the CWEs and OWASP vulnerabilities to the database so that you can see how we came up with that score. 

Clicking on the CWE takes you directly to the information for the relevant CWE in the CWE database. Being able to click on the CWEs and other defects allows you to easily know what each vulnerability is without having to look them up, and speeds the process of fixing them, allowing you to get ahead of security threats. 

Plus, being able to fix these things before deployment allows you to ship out safer products, faster.

After you fix each defect, you can rerun Mayhem to make sure that your fix works.

All in all, having intelligent CVSS scoring at your fingertips is a game changer. 


Share this post

Fancy some inbox Mayhem?

Subscribe to our monthly newsletter for expert insights and news on DevSecOps topics, plus Mayhem tips and tutorials.

By subscribing, you're agreeing to our website terms and privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Add Mayhem to Your DevSecOps for Free.

Get a full-featured 30 day free trial.

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem