Vulnerability Priority Rating Drivers

Tenable uses a static severity and a dynamic Vulnerability Priority Rating (VPR) to quantify how urgently you should remediate a vulnerability.

Tenable assigns the static severity based on the vulnerability's CVSSv2 score. For more information about CVSS metrics, see A Complete Guide to the Common Vulnerability Scoring System, Version 2.0 and Common Vulnerability Scoring System v3.0: Specification Document.

Tenable calculates the dynamic VPR based on additional key indicators. You can view these key VPR indicators, or drivers, using any API endpoint that returns vulnerability details. These endpoints include:

Drivers

AttributeTypeDescription
age_of_vulnobjectA range representing the number of days since the National Vulnerability Database (NVD) published the vulnerability. Ranges include:
• 0-7 days
• 7-30 days
• 30-60 days
• 60-180 days
• 180-365 days
• 365-730 days
• More than 730 days (+731)
age_of_vuln.lower_boundinteger (int32)The lower bound of the range. For example, for the 0-7 days range, this attribute is 0. For the highest range (more than 730 days), this value is 731.
age_of_vuln.upper_boundinteger (int32)The upper bound of the range. For example, for the 0-7 days range, this attribute is 7. For the highest range (more than 730 days), this value is 0, which signifies that there is no higher category.
exploit_code_maturitystringThe relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (for example, Reversinglabs, Exploit-db, Metasploit, etc.). The possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code Maturity categories.
cvss3_impact_scorefloatThe NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Vulnerability Management displays a Tenable-predicted score.
cvss_impact_score_predictedbooleanA value specifying whether Tenable predicted the CVSSv3 impact score for the vulnerability because NVD did not provide one (true) or used the NVD-provided CVSSv3 impact score (false) when calculating the VPR.
threat_intensity_last28stringThe relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very Low, Low, Medium, High, or Very High.
threat_recencyobjectA range representing the number of days since a threat event occurred for the vulnerability. Ranges include:
• 0-7 days
• 7-30 days
• 30-120 days
• 120-365 days
• More than 365 days (+365)
threat_recency.lower_boundinteger (int32)The lower bound of the range. For example, for the 0-7 days range, this attribute is 0. For the highest range (more than 365 days), this value is 366.
threat_ recency.upper_boundinteger (int32)The upper bound of the range. For example, for the 0-7 days range, this attribute is 7. For the highest range (more than 730 days), this value is 0, which signifies that there is no higher category.
threat_sources_last28arrayA list of all sources (for example, social media channels, the dark web, etc.) where threat events related to this vulnerability occurred. Item type: string.
product_coveragestringThe relative number of unique products affected by the vulnerability: Low, Medium, High, or Very High.

Example

"drivers": {
   "age_of_vuln": {
    "lower_bound": 366,
    "upper_bound": 730
  },
  "exploit_code_maturity": "UNPROVEN",
  "cvss_impact_score_predicted": false,
  "cvss3_impact_score": 5.9,
  "threat_intensity_last28": "VERY_LOW",
  "threat_sources_last28": [
    "No recorded events"
  ],
  "product_coverage": "LOW"
}