CVSS Score of COVID-19

Base Metric Group

Exploitability metrics

Attack Vector (AV)

Adjacent (A)
Easy OTA transmission to another human with close contact (see below)

  • Any person who had contact (within 1 meter) with a confirmed case during their symptomatic period, including 4 days before symptom onset.
    COMMENT: contact does not have to be direct physical contact.
  • Any social or health care worker, who provided direct personal or clinical care, or examination of a symptomatic or asymptomatic confirmed case of COVID-19 or within the same indoor space, when an aerosol generating procedure was implemented.
  • Any person who has resided in the same household (or other closed setting) as the primary COVID-19 case.

Privileges Required (PR)

None (N)
The virus doesn’t require any authorisation from you.

User Interaction (UI)

None (N)
The vulnerable human can be exploited without interaction from the almighty.

Scope (S)

Changed (C)
An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.

Impact Metrics

Confidentiality (C)

None (N)

Integrity (I)

High (H)
All integrity is lost when attacked by the coronavirus as it inserts itself into our DNA string, and started reproducing itself via our own resources. Human’s immune system will start reacting to the intrusion. Currently, 52.7% has recovered, 3.38% are dead, and the rest 43.92% is uncertain.

Availability (A)

High (H)
The ill person loses all availability until the immune system start reacting to the intrusion.

Temporal Metrics

Exploit Code Maturity (E)

High (H)
The virus has highly matured code to attack human.

Remediation Level (RL)

Unavailable (U)
There is no cure nor vaccine.

Report Confidence (RC)

Confirmed (C)
Plenty of confirmed and dead patients.

Environmental Metrics

Security Requirements (CR, IR, AR)

Not Defined (X)

Modified Base Metrics

Not Defined (X)
The same values as the corresponding Base Metric (see Base Metrics above), as well as Not Defined (the default).

Qualitative Severity Rating Scale

For some purposes it is useful to have a textual representation of the numeric Base, Temporal and Environmental scores. All scores can be mapped to the qualitative ratings defined in the table below.

What if?

Self Isolation for 14 Days

A self isolation could be interpreted as reducing the attack vector to “Local” since you’ll only get infected by people close to you. This is not total isolation.


Pandemic would change the attack vector to “Network” since the expectation of a pandemic is that everyone will get infected.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store