Home > Projects > YFVS - Scoring Formula Details
YFVS - Scoring Formula Details
Ben Lincoln
The scoring formula for YFVS 0.4 is as follows:
Base elements
In the score breakdown, these sub-scores are displayed on the third (bottom) row of the rainbow-coloured table.
- The Yield sub-score is the maximum of any one element in that category.
- The Ease-of-Exploitation sub-score is the average of all of the elements in that category.
- The Stealthiness sub-score is the average of all of the elements in that category.
- The Prerequisites sub-score is the average of all of the elements in that category.
- The Consequences sub-score is the maximum of any one element in that category.
- Criticality Modifiers does not receive a base sub-score.
Modified sub-scores
For all modifications to base values, the maximum decrease (when all modifiers that apply to a given element are combined) is by 5. In other words, if any of the Yield values are 10, then the most they can be reduced to is 5. There is no limit to potential increases other than the score being limited to 10. See the philosophy discussion in Yield-Focused Vulnerability Score (YFVS) for more on the reasoning behind this.
- For all of the Yield values except Impact To Availability / Denial of Service Capability, the Modified versions are calculated by adding the Instance Context criticality modifier to the base value.
- If the base Impact To Availability / Denial of Service Capability value is 1 (no impact), then the Modified version is calculated the same as the other Modified Yield values. If it is greater than 1, then the Modified Impact To Availability / Denial of Service Capability value is calculated by combining the Instance Context criticality modifier with the Availability criticality modifier, and adding the result to the base value.
- The Modified Yield sub-score is then the maximum of any one element in that category.
- The Automated Response and Workarounds criticality modifiers are then combined together.
- The Connectivity, Connectivity/Accessibility (if present), Authorization, User Interaction, Vulnerability Instance Recognition, and Reproducibility values have that Automated Response/Workarounds modifer applied.
- The Authentication value has the combination of the Automated Response, Workarounds, and Authentication Modifier values applied to it.
- The elements from the previous two steps become the Modified Ease-of-Exploitation values. The sub-score for this category is the average of all of the individual scores which make it up.
- The base User Visibility value is passed unmodified to the set of Modified Stealthiness elements.
- The Modified Programmatic Visibility and Modified Logging values are calculated by applying the Forensics criticality modifier to the base values.
- The elements from the previous two steps become the Modified Stealthiness values. The sub-score for this category is the average of all of the individual scores which make it up.
Effective sub-scores
- The Effective Yield category is the combination of all of the Modified Yield elements with all of the Consequences elements which are in a state other than Undefined. The Effective Yield sub-score is then the maximum of any one element (the worst-case scenario overall).
- The Effective Ease-of-Exploitation category is the combination of all of the Modified Ease-of-Exploitation elements with all of the Prerequisites values which are in a state other than Undefined. The Effective Ease-of-Exploitation sub-score is then the average of all of those values.
- The Effective Stealthiness category is the combination of all of the Modified Stealthiness elements with the Detection and Manual Response criticality modifier values (if either or both are in a state other than Undefined). The Effective Stealthiness sub-score is then the average of all of those values.
Overall score
- Multiply the Effective Ease-of-Exploitation value by 3. Add the result to the Effective Stealthiness value. Divide by four. Subtract the result from 10. Consider this the Limiting Factor.
- Subtract 50% of the Limiting Factor from the Effective Yield. The result is the overall numeric score.
Overall score Nightingale chart
This larger radial bar graph is a little bit "smarter" than it may appear:
- Collect all of the individual score element values from the Effective sets into a single large dataset.
- For all of the values except those in the Effective Yield set, multiply the result by (Effective Yield / 10).
This chart is handled differently so that a large "splat" will only appear if the vulnerability has at least one very damaging value in its Effective Yield. Low-yield vulnerabilities will inherently be prevented from having large "spikes" outwards that might confuse casual viewers.
Related Articles:
Yield-Focused Vulnerability Score (YFVS)
YFVS - Example Comparison
YFVS Sidebar 1: Shortcomings of Existing Systems
YFVS Sidebar 2: Likelihood Ratings