What scoring system does UpGuard use for vulnerability severity?

UpGuard uses CVSSv3 scores as the standard severity scoring system, and CVSSv2 when v3 scores are not available.

Written by Greg Pollock

UpGuard uses the Common Vulnerability Scoring System (CVSS) from the NIST National Vulnerability Database to assign the severity of vulnerabilities.

Over the years, the CVSS has been updated to more accurately rate the severity of a vulnerability. The current version is v3.1. For vulnerabilities with CVSSv3 scores (those added since CVSSv3.0 was released in 2015) UpGuard uses the v3 score published by NIST. For those without a v3 score, UpGuard uses the v2 score published by NIST.

The v3 scoring system is known to assign severity scores that are higher on average than the scores assigned using v2. When using CVSS scores to compare vulnerabilities, users should be aware that older vulnerabilities (those before the v3 release in 2015) use the v2 system.

As a rule of thumb, vulnerabilities from 2016 onwards use v3, and those published prior to 2016 use v2. You can verify which version is being used in the vulnerability detail panel.

Example of a vulnerability with a CVSSv2 score:

Example of a vulnerability with a CVSSv3 score: