Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Values for $n$ greater than 2 create very significant gaps between CVSS scores in the high and critical range. #3

EdOverflow opened this issue Dec 1, 2017 · 1 comment


Copy link

@EdOverflow EdOverflow commented Dec 1, 2017


richinseattle notified me of an interesting issue in our formula when supplying it with values greater than 2 for n.


Steps To Reproduce

Set n to a value greater than 2. I am using n = 6 below.

$$N = \frac{10000}{(10)^6}$$

$$b = N \times (C^6)$$


There is a very large gap between the bounty amount for a CVSS score of 9.0 versus a score of 10.0 — namely $5314 for 9.0 and $10'000 for 10.0.


Potential Solutions

The following are some potential solutions that may even be combined to resolve this problem and other problem for n in the future.

  1. Create an S-curve as richinseattle pointed out. [1]
  2. Form pairs of CVSS scores. [2]
  3. Base the bounty on the maximum value in the CVSS rating rather than basing it off the CVSS score. This is similar to approach 2).
  4. Base n on a large data set. This would allow us to create "realistic" values for n for the three categories mentioned in the write-up. [3]
@EdOverflow EdOverflow added the bug label Dec 1, 2017
Copy link
Owner Author

@EdOverflow EdOverflow commented Dec 2, 2017

We believe that our latest version of the formula resolves this problem by forcing n to be within the 1.0 to 3.0 range.


We also suggested that users decrease n as b_{max} increases.

We recommend setting a lower value for n as you increase b_{max}. This should ensure that the gap between values in the 7.0 to 10.0 CVSS score range is not too big.

@EdOverflow EdOverflow closed this Dec 2, 2017
@EdOverflow EdOverflow added the resolved label Dec 2, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant