CVSS 3.1 & 4.0 Vectors

CVSS vectors are the standard for communicating vulnerability severity, but they're often unavailable or take weeks to publish. Manual scoring is time-consuming and requires deep expertise, creating significant delays between vulnerability disclosure and actionable severity data.

When scores do become available, they're frequently inconsistent across sources and versions. Some vulnerabilities have only CVSS 3.1 scores, others only 4.0, and many have conflicting assessments from different vendors or security teams.

The root cause is human subjectivity. The CVSS specification is complex and open to interpretation, leading to inaccurate scoring, poor documentation, and results that can't be independently verified or reproduced.

Volerion uses attack graphs to model exploitation scenarios. Each graph captures attacker actions, required conditions, and system effects. Every path through the graph represents a complete, valid attack scenario.

We programmatically walk these graphs to derive CVSS metrics, ensuring every vector corresponds to an actual exploitation path. This makes scores reproducible, auditable, and defensible.

We support both CVSS 3.1 and 4.0, automatically generating vectors for each standard. Our approach includes supplemental and threat metrics, providing complete context about exploitability and threats.