To rate information technology security vulnerabilities, the CVSS maintained by the forum of incident response and security teams (FIRST) can be used. Within the base metrics group, the exploitability metrics (cf. Reference [<u>1</u>], 7.1) can be used to rate attack feasibility. Other CVSS metrics (e.g. impact metrics) are covered by aspects of this document, e.g. damage scenarios and impact assessment.<br/>The exploitability metrics are:<br/>— attack vector;<br/>— attack complexity;<br/>— privileges required; and<br/>— user interaction.<br/>Evaluation of the CVSS metrics yields numerical values for each metric according within a pre-defined range. The overall exploitability value can be calculated on the basis of a simple formula:<br/><i>E </i>= 8,22 × <i>V </i>× <i>C </i>× <i>P </i>× <i>U</i><br/>where <br/>- E is the exploitability value;<br/>- V is the numerical value associated to the attack vector, ranging from 0,2 to 0,85;<br/>- C is the numerical value associated with the attack complexity, ranging from 0,44 to 0,77;<br/>- P is the numerical value associated with the privilieges required, ranging from 0,27 to 0,85; and<br/>- U is the numerical value associated with user interaction, ranging from 0,62 to 0,85.<br/><br/>[1] FORUM OF INCIDENT RESPONSE AND SECURITY TEAMS (FIRST). Common Vulnerability Scoring System (CVSS), <i>Common Vulnerability Scoring System v3.1: Specification Document, </i>[online]. Available at: <u>https:// www .first .org/ cvss/ v3 .1/ specification -document</u><br/><br/><br/><br/><br/>