CVSS Score of COVID-19

Alvin Chang
3 min readMar 3, 2020

--

CVSS has been one of the mainstay tools for estimating risk.

It’s less frequently used in computer viruses, but even less used in human-to-human transmission of a DNA virus. However, why not? In a computer world, there are networks, hosts, and a malware/virus travels across the network to incapacitate hosts.

The same things apply to human networks, while humans are hosts, and user is the almighty.

Base Metric Group

Exploitability metrics

Attack Vector (AV)

Adjacent (A)
Easy OTA transmission to another human with close contact (see below)

Attack Complexity (AC)

Low (L)
A close contact is defined as one of the followings:

  • Any person who had contact (within 1 meter) with a confirmed case during their symptomatic period, including 4 days before symptom onset.
    COMMENT: contact does not have to be direct physical contact.
  • Any social or health care worker, who provided direct personal or clinical care, or examination of a symptomatic or asymptomatic confirmed case of COVID-19 or within the same indoor space, when an aerosol generating procedure was implemented.
  • Any person who has resided in the same household (or other closed setting) as the primary COVID-19 case.

Privileges Required (PR)

None (N)
The virus doesn’t require any authorisation from you.

User Interaction (UI)

None (N)
The vulnerable human can be exploited without interaction from the almighty.

Scope (S)

Changed (C)
An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.

Impact Metrics

Confidentiality (C)

None (N)

Integrity (I)

High (H)
All integrity is lost when attacked by the coronavirus as it inserts itself into our DNA string, and started reproducing itself via our own resources. Human’s immune system will start reacting to the intrusion. Currently, 52.7% has recovered, 3.38% are dead, and the rest 43.92% is uncertain.

Availability (A)

High (H)
The ill person loses all availability until the immune system start reacting to the intrusion.

Temporal Metrics

Exploit Code Maturity (E)

High (H)
The virus has highly matured code to attack human.

Remediation Level (RL)

Unavailable (U)
There is no cure nor vaccine.

Report Confidence (RC)

Confirmed (C)
Plenty of confirmed and dead patients.

Environmental Metrics

Security Requirements (CR, IR, AR)

Not Defined (X)

Modified Base Metrics

Not Defined (X)
The same values as the corresponding Base Metric (see Base Metrics above), as well as Not Defined (the default).

Qualitative Severity Rating Scale

For some purposes it is useful to have a textual representation of the numeric Base, Temporal and Environmental scores. All scores can be mapped to the qualitative ratings defined in the table below.

CVSS Score
None 0.0
Low 0.1 - 3.9
Medium 4.0 - 6.9
High 7.0 - 8.9
Critical 9.0 - 10.0

https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:U/RC:C/CR:H/IR:H/AR:H gives us a base score of 9.3 which is Critical.

What if?

Self Isolation for 14 Days

A self isolation could be interpreted as reducing the attack vector to “Local” since you’ll only get infected by people close to you. This is not total isolation.

https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:U/RC:C/CR:H/IR:H/AR:H gives you a base score of 9.0 which is still Critical.

Pandemic

Pandemic would change the attack vector to “Network” since the expectation of a pandemic is that everyone will get infected.

https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:U/RC:C/CR:H/IR:H/AR:H gives you a base score of 10.0 which is the highest possible.

--

--