Overview
CybeDefend computes a CVSS 4.0 score for every vulnerability — across SAST, SCA, IAC, Container, CICD and Secrets. The platform stores two distinct values:- a Base Score, derived from the vulnerability’s intrinsic properties (attack vector, complexity, impact on confidentiality / integrity / availability),
- an Environmental Score, recomputed for each project from the Security Context you configure, so the same CVE can legitimately score differently across projects.
CVSS 4.0 Native
Latest FIRST.org standard with Vulnerable / Subsequent system impact metrics
CVSS 3.x Compatible
Legacy CVSS 3.1 vectors are automatically converted to a CVSS 4.0 base vector
Environmental Adjustments
Project context (exposure, environment, data class) reshapes the score
Severity Fallback
If no vector is available, severity (Critical / High / Medium / Low) drives a sensible default
How the score is built
For each detection, CybeDefend resolves a CVSS 4.0 base vector with the following priority:- Direct CVSS 4.0 vector if provided by the scanner or advisory.
- CVSS 3.1 vector — converted into an equivalent CVSS 4.0 base vector (AV/AC/PR/UI/VC/VI/VA mapping, AT defaulted to None, scope handled).
- Severity-only fallback — uses a curated default vector per severity tier.
Both the base vector and the full environmental vector (including
MAV, MAT, MPR, CR, IR, AR, MSC, MSI, MSA modifiers) are persisted so the scoring is fully auditable.Environmental modifiers
The Security Context of the project drives the environmental adjustments applied to the base vector:| Context field | CVSS 4.0 metric(s) | Effect |
|---|---|---|
Internet Exposure (public / internal / airgapped) | MAV (Modified Attack Vector) | Network → Adjacent → Local as exposure shrinks |
Network Segmentation (flat / segmented / microsegmented) | MAT (Modified Attack Requirements) | Segmented networks raise attack requirements |
Environment (development / staging / production) | MPR, CR, IR, AR defaults | Dev raises required privileges; prod sets high CIA requirements |
Data Classification (public / internal / confidential / regulated) | CR, MSC | Regulated data boosts confidentiality requirement and subsequent confidentiality |
Business Criticality (low / medium / high / mission_critical) | AR, MSA | Mission-critical workloads boost availability requirement |
| Handles PII | CR:H, MSC:H | PII processing raises confidentiality weight |
| Handles Payment Data | CR:H, IR:H, MSC:H, MSI:H | Payment processing raises confidentiality and integrity |
| Safety-Critical | IR:H, AR:H, MSI:H, MSA:H | Safety workloads raise integrity and availability |
Where to see the scores
- Vulnerability list — sortable by CVSS Score (SCA) and severity.
- Vulnerability detail — displays both Base Score and Environmental Score, the full CVSS 4.0 vector, and a human-readable explanation of each component.
- Top Vulnerabilities widget — surfaces the highest-priority items, including the environmental CVSS score per detection.
- API — every detection returned by the REST API exposes
cvss4BaseScore,cvss4EnvironmentalScore,cvss4Vectorandcvss4EnvironmentalVector.
Recalculation triggers
Environmental scores are automatically recomputed when:Security Context changes
Any update to the project’s Security Context (exposure, environment, data class, criticality, PII / Payment / Safety toggles) re-enqueues a CVSS recalculation for all active detections.
A new scan ingests detections
Newly ingested vulnerabilities are scored with the current Security Context as part of the ingestion pipeline.
Severity vs. Score
Severity buckets (Critical, High, Medium, Low) remain available for filtering and reporting, but the environmental CVSS score is what the platform uses internally as the CVSS dimension of the Priority Score.
Severity displayed in the UI follows the standard CVSS 4.0 mapping: ≥ 9.0 Critical · ≥ 7.0 High · ≥ 4.0 Medium · > 0 Low · 0 None.
Related: Priority Scoring · Top Vulnerabilities · Exploitable Path