Risk levels
Le Cert-IST includes in its publications 2 metrics to indicate the severity of a vulnerability:
- The CVSS score (since 2007) which is a number from 0 (no risk) to 10 (maximum risk). CVSS is a standard defined by www.FIRST.org (worldwide organisation which gathers CERTs).
- The EISPP risk (since 2003), the value of which can be: Not rated, Low, Medium, High or Very high. This risk was defined as part of the European EISPP project: www.cert-ist.com/eispp.
Two calculation methods have been used successively by Cert-IST:
- EISPP risk 1.3 before 2024,
- EISPP risk 3.0 from February 2024 onwards.
The image below gives an overview of the matrices used to calculate the EISPP risk 3.0.