How should CVSS scores be used to determine whether a vulnerability is failing?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the PCI Approved Scanning Vendor (ASV) Test. Study with flashcards, multiple choice questions, hints, and explanations. Get exam ready!

Multiple Choice

How should CVSS scores be used to determine whether a vulnerability is failing?

Explanation:
CVSS scores quantify how severe a vulnerability is, guiding whether remediation is needed. In PCI ASV practice, a vulnerability with a base score above 4.0 signals medium to high risk and should be considered for remediation. However, if the only impact is Denial of Service (DoS) with no other effects, it is not counted as a failing vulnerability. So, only vulnerabilities above 4.0 that are not exclusively DoS are treated as failing. The other options don’t fit because a high score isn’t automatically a fail in all cases (pure DoS-only issues are excluded), and CVSS is indeed used to gauge severity.

CVSS scores quantify how severe a vulnerability is, guiding whether remediation is needed. In PCI ASV practice, a vulnerability with a base score above 4.0 signals medium to high risk and should be considered for remediation. However, if the only impact is Denial of Service (DoS) with no other effects, it is not counted as a failing vulnerability. So, only vulnerabilities above 4.0 that are not exclusively DoS are treated as failing. The other options don’t fit because a high score isn’t automatically a fail in all cases (pure DoS-only issues are excluded), and CVSS is indeed used to gauge severity.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy