CVSS — Common Vulnerability Scoring System
CVSS adalah standar industri untuk menilai tingkat keparahan kerentanan keamanan dengan skor 0.0–10.0.
Severity Levels
| Score | Severity | Contoh | Reward Tipikal |
|---|
| 9.0–10.0 | Critical | RCE tanpa auth, SQLi dump DB | $5,000–$50,000+ |
| 7.0–8.9 | High | Auth bypass, SSRF ke metadata | $1,000–$10,000 |
| 4.0–6.9 | Medium | Stored XSS, IDOR baca data | $200–$2,000 |
| 0.1–3.9 | Low | Reflected XSS, info disclosure | $50–$500 |
| 0.0 | None/Info | Best practice, no direct impact | $0 / swag |
Faktor CVSS
Base Score (paling penting)
| Metrik | Pilihan |
|---|
| Attack Vector | Network / Adjacent / Local / Physical |
| Attack Complexity | Low / High |
| Privileges Required | None / Low / High |
| User Interaction | None / Required |
| Scope | Unchanged / Changed |
| Confidentiality Impact | None / Low / High |
| Integrity Impact | None / Low / High |
| Availability Impact | None / Low / High |
Contoh Kalkulasi
# Stored XSS yang steal session
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low (butuh akun)
User Interaction: Required (korban harus buka halaman)
Scope: Changed (cross-origin impact)
Confidentiality: High
Integrity: High
Availability: None
→ Score: ~8.0 (High)
# RCE tanpa auth
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Changed
Confidentiality: High
Integrity: High
Availability: High
→ Score: 10.0 (Critical)
Tools: Gunakan CVSS Calculator di nvd.nist.gov/vuln-metrics/cvss/v3-calculator untuk menghitung skor secara akurat. Sertakan skor CVSS beserta vector string di report kamu.
// CEK PEMAHAMAN
Kerentanan dengan karakteristik "Network access, Low complexity, No privileges required, No user interaction, High impact on all CIA" mendapat severity apa?
ALow
BMedium
CHigh
DCritical