The CVSS considers a number of metrics: basic metrics: - access vector - can this be done remotely, or does an [[attacker]] need local access? - access complexity - if they need access how complex is it for them to gain access? - [[authentication]]: how many times would an attacker have to be authenticated in the course of launching this attack? - impact on [[confidentiality]] - impact on [[integrity]] - impact on [[availability]] temporal metrics: - explotability - what [[vulnerability|vulnerabilities]] already exist to effect this [[attack]]? - remediation level - what countermeasures are available? Is there already a patch? - report confidence - how much do we trust the source of this proposed vulnerability? environmental metrics: - collateral damage potential - what happens beyond the computer system? - target distribution - how many potential targets are there? - [[confidentiality]] requirement - [[integrity]] requirement - [[availability]] requirement