Quantifying the Impact of Vulnerabilities of the Components of an Information System towards the Composite Rise Exposure

Abstract

To compensate the lacking of any concrete scoring formula of the CVSS v3 for the category of "Environment", in this paper, we present a novel formula for objectively quantifying composite vulnerability exposures for non-terminal components of an information system. The paper examines limitations of the CVSS v3 calculator definition, notably the capacity to characterize vulnerabilities from a composite perspective, providing a means to output a composite CVSS-compliant vulnerability score for aggregated system components. We provide the definitions for related concepts, formulas for determining component vulnerability, and a formula for calculating composite vulnerability. The common implementation of a Linux, Apache, MySQL, PHP (LAMP) stack provides a practical demonstration of the foundational formulas.