210-255 · Question #122
How is confidentiality defined in the CVSS v3.0 framework?
The correct answer is C. confidentiality of the information resources managed by a software component due to a. In CVSS v3.0, confidentiality impact is defined in terms of the information resources managed by a software component that are affected by a successfully exploited vulnerability.
Question
How is confidentiality defined in the CVSS v3.0 framework?
Options
- Aconfidentiality of the information resource managed by person due to an unsuccessfully exploited
- Bconfidentiality of the information resource managed by a person due to a successfully
- Cconfidentiality of the information resources managed by a software component due to a
- Dconfidentiality of the information resource managed by a software component due to an
How the community answered
(15 responses)- A7% (1)
- C87% (13)
- D7% (1)
Why each option
In CVSS v3.0, confidentiality impact is defined in terms of the information resources managed by a software component that are affected by a successfully exploited vulnerability.
This choice incorrectly references a person instead of a software component and describes an unsuccessful exploit, whereas CVSS measures impact from successful exploitation.
This choice incorrectly attributes the confidentiality impact to a person rather than a software component, which is not consistent with CVSS v3.0 terminology.
CVSS v3.0 scopes its metrics around software components, not people, because the scoring system is designed to measure the technical impact on the vulnerable software and any components it manages. Confidentiality is therefore measured as the impact on information resources managed by a software component resulting from a successful exploit. Using 'software component' is the precise CVSS v3.0 terminology that distinguishes it from broader or human-centric definitions.
This choice correctly references a software component but incorrectly describes an unsuccessful exploit, whereas CVSS v3.0 confidentiality impact is defined in terms of successful exploitation.
Concept tested: CVSS v3.0 confidentiality impact metric definition
Source: https://www.first.org/cvss/v3.0/specification-document
Topics
Community Discussion
No community discussion yet for this question.