At Snyk, we use CVSS framework version 3.1 to communicate the characteristics and severity of vulnerabilities.
A vulnerability's severity (critical, high, medium or low) is based on its CVSS score:
| Severity | CVSS v3 Rating |
| Critical | 9.0 - 10.0 |
| High | 7.0 - 8.9 |
| Medium | 4.0 - 6.9 |
| Low | 0.1 - 3.9 |
The score is comprised of measurements of each of the following metrics:
- Attack Vector (AV)
- Attack Complexity (AC)
- Privileges Required (PR)
- User Interaction (UI)
- Scope (S)
- Confidentiality (C)
- Integrity (I)
- Availability (A)
Check out this calculator for CVSS here.
Linux vulnerability severity definitions
Snyk uses several sources to determine the severity of each vulnerability for a specific Linux distribution. A vulnerability can be a high-severity issue in the most general context, but a lower severity issue in specific Linux distributions such as Debian or Ubuntu.
CVSS Scoring
CVSS scoring can also have complex severity scoring. As most sources do not have a corresponding CVSS score, the CVSS score usually only reflects NVD information, which may not align with the CVSS severity.
To better understand Snyk severity scores, see the Relative Importance feature.