Vulnerability Risk Rating (VRR), Severity, CVSS, and Scanner Severity

Summary: High-level overview of the various severity values available on the Application and Host Findings pages.

Ivanti Neurons platform users can display various severity values within the Application Findings and Host Findings list views. Column display options are available when clicking the Settings (List Views - Settings Button) button underneath your initials in the page’s top-right corner.

Severity - Settings Button Location

Severity - Settings Menu

Vulnerability Risk Rating (VRR) is specific to Ivanti Neurons and factors in not only the scanner reported severity, but weaponization associations and whether the RiskSense penetration testing team has demonstrated exploitation of the flaw or weakness during one of the hundreds of real-world assessments they have completed. VRR offers a 0-10 scale where higher is more severe, just like CVSS.

The Common Vulnerability Scoring System (CVSS) is an open industry standard 0-10 severity scale maintained by the nonprofit FIRST.org (Forum of Incident Response and Security Teams) and are associated with many CVE and CWE entries maintained by MITRE. Ivanti Neurons can display CVSS v2 and v3 scoring.

Severity represents the highest CVSS score for any CVE or CWE associated with a scanner finding. In the case of a finding being correlated to CVE values of 9.0, 7.1, 7.8, and 10.0, the Severity score would be calculated as a 10.

Severity - Severity

Scanner Reported Severity is the exact, non-normalized rating provided by the vulnerability scanner tool that was used to assess a finding. Users may see a variety of values within this field, as scanner vendors may use scales of 0-3, 0-5, words (critical, high, medium, low), and other metrics.