Security Vulnerability Risk Score Calculator

Calculate a comprehensive vulnerability risk score using CVSS v3.1-inspired metrics. Enter the vulnerability characteristics to compute Base Score, Temporal Score, and Environmental Score with severity rating.

Base Score Metrics

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Impact Metrics

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

Temporal Score Metrics

Exploit Code Maturity (E)

Remediation Level (RL)

Report Confidence (RC)

Environmental Metrics

Confidentiality Requirement (CR)

Integrity Requirement (IR)

Availability Requirement (AR)

Fill in all fields and click Calculate to see the risk score.

Formulas Used (CVSS v3.1)

Impact Sub-Score (ISS):
ISS = 1 − [(1 − C) × (1 − I) × (1 − A)]

Impact Score:
Scope Unchanged: Impact = 6.42 × ISS
Scope Changed: Impact = 7.52 × [ISS − 0.029] − 3.25 × [ISS − 0.02]¹⁵

Exploitability Score:
ESS = 8.22 × AV × AC × PR × UI

Base Score:
If ISS ≤ 0: BaseScore = 0
Scope Unchanged: BaseScore = RoundUp(Min(Impact + ESS, 10))
Scope Changed: BaseScore = RoundUp(Min(1.08 × (Impact + ESS), 10))

Temporal Score:
TemporalScore = RoundUp(BaseScore × E × RL × RC)

Modified Impact Sub-Score (MISS):
MISS = Min(1 − [(1 − C×CR) × (1 − I×IR) × (1 − A×AR)], 0.915)

Environmental Score:
Scope Unchanged: EnvScore = RoundUp(RoundUp(Min(ModImpact + ModESS, 10)) × E × RL × RC)
Scope Changed: EnvScore = RoundUp(RoundUp(Min(1.08 × (ModImpact + ModESS), 10)) × E × RL × RC)

Overall Risk Score (weighted composite):
Overall = RoundUp(Base × 0.40 + Temporal × 0.30 + Environmental × 0.30)

RoundUp Function: Rounds to the nearest 0.1 toward positive infinity (CVSS 3.1 specification).

Assumptions & References

Metric weights follow the CVSS v3.1 Specification Document published by FIRST (Forum of Incident Response and Security Teams), June 2019.
Scope-Changed Privileges Required values are adjusted per CVSS 3.1: PR(Low)=0.68, PR(High)=0.50 when Scope=Changed.
The RoundUp function rounds to exactly one decimal place toward positive infinity, as defined in the CVSS 3.1 specification (not standard rounding).
Temporal metrics default to "Not Defined" (multiplier 1.00), meaning they do not change the Base Score unless explicitly set.
Environmental metrics use Modified Impact Sub-Score capped at 0.915 per CVSS 3.1 specification.
The Overall Risk Score is a weighted composite (Base 40%, Temporal 30%, Environmental 30%) and is not part of the official CVSS standard — it provides a single summary metric.
Severity ratings: None (0.0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), Critical (9.0–10.0) per CVSS 3.1.
Reference: CVSS v3.1 Specification — https://www.first.org/cvss/v3.1/specification-document
Reference: NVD CVSS Calculator — https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
This calculator does not account for threat intelligence feeds, asset criticality beyond environmental metrics, or compensating controls beyond the remediation level metric.

Security Vulnerability Risk Score Calculator

Base Score Metrics

Impact Metrics

Temporal Score Metrics

Environmental Metrics

Formulas Used (CVSS v3.1)

Assumptions & References

In the network

Network

Security Vulnerability Risk Score Calculator

Base Score Metrics

Impact Metrics

Temporal Score Metrics

Environmental Metrics

Formulas Used (CVSS v3.1)

Assumptions & References

More Calculators

In the network

Network