In the context of CompTIA PenTest+ and vulnerability discovery, severity ratings are the primary metric used to prioritize remediation efforts. Because organizations cannot fix every bug simultaneously, they rely on these ratings to triage threats. The industry standard for calculating these rating…In the context of CompTIA PenTest+ and vulnerability discovery, severity ratings are the primary metric used to prioritize remediation efforts. Because organizations cannot fix every bug simultaneously, they rely on these ratings to triage threats. The industry standard for calculating these ratings is the Common Vulnerability Scoring System (CVSS), which assigns a numerical score from 0.0 to 10.0.
This score represents the technical severity of a flaw based on its intrinsic characteristics (Base Score), such as the attack vector (network vs. local), attack complexity, privileges required, and the impact on the CIA triad (Confidentiality, Integrity, and Availability). The scores generally map to qualitative tiers:
1. **Critical (9.0–10.0):** Immediate threats, often remotely exploitable without authentication, leading to full system compromise.
2. **High (7.0–8.9):** Severe impact, but may require some prerequisites like user interaction.
3. **Medium (4.0–6.9):** Significant issues that are harder to exploit or have limited impact.
4. **Low (0.1–3.9):** Minor issues with low impact or high complexity.
However, in vulnerability analysis, the raw scanner output is not the final verdict. A competent analyst must contextualize these ratings. For example, a 'Critical' vulnerability on a sandbox server with no external access poses less business risk than a 'Medium' vulnerability on a public-facing financial database. PenTesters use Environmental Metrics to adjust the severity based on the specific IT environment and asset value. Ultimately, severity ratings combined with business context enable security teams to allocate resources efficiently to the risks that could cause the most damage.
Vulnerability Severity Ratings Guide for CompTIA PenTest+
Introduction to Vulnerability Severity Ratings In the context of the CompTIA PenTest+ certification, understanding how to rate, categorize, and prioritize vulnerabilities is as critical as finding them. Vulnerability severity ratings provide a standardized language for PenTesters and IT operations teams to communicate the urgency of a specific flaw.
Why It Is Important A penetration test report often contains dozens or hundreds of findings. Without a severity rating system, stakeholders cannot distinguish between a minor information disclosure and a critical remote code execution flaw. Severity ratings drive: 1. Prioritization: Which bugs get fixed first. 2. Resource Allocation: Where to spend budget and man-hours. 3. Compliance: Meeting regulatory standards (e.g., PCI-DSS requiring fixes for 'High' and 'Critical' flaws).
What It Is: The CVSS Standard While some organizations use custom matrices (like High/Med/Low based on gut feeling), the industry standard is the Common Vulnerability Scoring System (CVSS). It produces a numerical score from 0.0 to 10.0.
How It Works CVSS calculates severity based on three metric groups: 1. Base Group: Represents the intrinsic qualities of a vulnerability that are constant over time and across user environments. This includes the Attack Vector (Network vs. Physical), Attack Complexity, and Impact (Confidentiality, Integrity, Availability). 2. Temporal Group: Reflects the characteristics of a vulnerability that change over time (e.g., is there Exploit Code available? Is there a patch?). 3. Environmental Group: Customized metrics based on the specific organization's environment (e.g., is this server critical to business operations?).
The CVSS v3.x Qualitative Ratings Map You must memorize these ranges for the exam: None: 0.0 Low: 0.1 – 3.9 Medium: 4.0 – 6.9 High: 7.0 – 8.9 Critical: 9.0 – 10.0
How to Answer Questions on Severity Ratings When facing exam scenarios, follow this logic: 1. Identify the Metrics: Look for keywords like 'Remote execution' (High Severity) vs. 'Local access required' (Lower Severity). 2. Differentiate Severity vs. Risk: Severity is technical (CVSS). Risk includes business context. A 'Critical' technical vulnerability on a disconnected test server has a lower Risk than a 'Medium' vulnerability on a public-facing payment portal. 3. Consult the Score: If the question provides a CVSS score, map it immediately to the qualitative rating (Low, Medium, High, Critical) to determine the next step.
Exam Tips: Answering Questions on Vulnerability Severity Ratings Tip 1: Context is King. The exam loves to trick you. If asked to prioritize remediation, do not blindly pick the highest CVSS score. Look for the asset value. A CVSS 9.0 on a printer is often less urgent than a CVSS 7.5 on the Domain Controller. Tip 2: False Positives. If a question describes a 'Critical' finding that implies a specific OS (e.g., Windows), but the target is running a different OS (e.g., Linux), the correct answer is to categorize it as a False Positive or recalculate the severity to N/A. Tip 3: Know the Impact Sub-scores. Remember the CIA triad. If a vulnerability allows an attacker to delete the database, the Integrity and Availability impacts are High. If they can only read it, Confidentiality is High.