This repository has been archived by the owner on Mar 27, 2021. It is now read-only.
/ bounty-formula Public archive

# Values for $n$ greater than 2 create very significant gaps between CVSS scores in the high and critical range.#3

Closed
opened this issue Dec 1, 2017 · 1 comment
Closed

# Values for $n$ greater than 2 create very significant gaps between CVSS scores in the high and critical range. #3

opened this issue Dec 1, 2017 · 1 comment
Labels

# Description

richinseattle notified me of an interesting issue in our formula when supplying it with values greater than 2 for n.

## Steps To Reproduce

Set n to a value greater than 2. I am using n = 6 below.

$$N = \frac{10000}{(10)^6}$$

$$b = N \times (C^6)$$


## Result

There is a very large gap between the bounty amount for a CVSS score of 9.0 versus a score of 10.0 — namely $5314 for 9.0 and$10'000 for 10.0.

# Potential Solutions

The following are some potential solutions that may even be combined to resolve this problem and other problem for n in the future.

1. Create an S-curve as richinseattle pointed out. [1]
2. Form pairs of CVSS scores. [2]
3. Base the bounty on the maximum value in the CVSS rating rather than basing it off the CVSS score. This is similar to approach 2).
4. Base n on a large data set. This would allow us to create "realistic" values for n for the three categories mentioned in the write-up. [3]
added the bug label Dec 1, 2017

### EdOverflow commented Dec 2, 2017

 We believe that our latest version of the formula resolves this problem by forcing n to be within the 1.0 to 3.0 range. We also suggested that users decrease n as b_{max} increases. We recommend setting a lower value for n as you increase b_{max}. This should ensure that the gap between values in the 7.0 to 10.0 CVSS score range is not too big.