Home Vulnerabilities Vulnerability scoring

Vulnerability scoring

Last updated on Feb 03, 2026

We utilize the Common Vulnerability Scoring System (CVSS) to quantify the severity of a threat. However, we do not generate these scores in isolation. Instead, we derive them by correlating the specific vulnerability with its associated CVE record.

How Scores are Aggregated

The accuracy of a vulnerability score depends on the quality of the sources it is drawn from. Our scoring engine follows this logic:

  1. CVE Identification: The system first identifies the CVE ID linked to the detected vulnerability.

  2. Source Cross-Referencing: We query this CVE ID against our aggregated index of security sources (such as official vendor advisories and national vulnerability databases).

  3. Score Extraction: We extract the CVSS vectors and scores provided by these authoritative bodies.

Adjusting for Real-World Risk

While official CVSS scores provide a standardized baseline, they are often theoretical. Discrepancies may arise between the general CVE score and the specific findings of our scanning method.

Evidence-Based Rescoring

Our security team reviews the technical evidence provided by the scanner to determine if the standard score reflects the actual threat. If the risk is deemed lower in practice than in theory, analysts may manually adjust the severity score downward. This is frequently applied in two specific scenarios:

  • WordPress & Authenticated Vulnerabilities: Scans often detect vulnerabilities that are technically present but require high-level authentication to exploit. In these cases, the severity may be downscaled to reflect the reduced likelihood of an unprivileged external attack.

  • Scanning Template Limitations: For general CVEs where automated scanning templates cannot fully validate the exploit chain (due to technical constraints), our team assesses the surrounding context to decide if the standard severity is accurate.

Proof of Exploitability

Conversely, if the scan validates an active attack path that amplifies the risk beyond the standard CVE description, our team can adjust the score upward to showcase the real-world danger.