Risk levels

Le Cert-IST includes in its publications 2 metrics to indicate the severity of a vulnerability:

  • The CVSS score (since 2007) which is a number from 0 (no risk) to 10 (maximum risk). CVSS is a standard defined by www.FIRST.org (worldwide organisation which gathers CERTs).
  • The EISPP risk (since 2003), the value of which can be: Not rated, Low, Medium, High or Very high. This risk was defined as part of the European EISPP project: www.cert-ist.com/eispp.

Two calculation methods have been used successively by Cert-IST:

  • EISPP risk 1.3 before 2024,
  • EISPP risk 3.0 from February 2024 onwards.

The image below gives an overview of the matrices used to calculate the EISPP risk 3.0.

Previous Previous Next Next Print Print