312-50V13 · Question #497
312-50V13 Question #497: Real Exam Question with Answer & Explanation
The correct answer is B: Base metric represents the inherent qualities of a vulnerability. CVSS Metric Types Explained Option B is correct because the Base metric in CVSS captures the intrinsic, fundamental characteristics of a vulnerability that remain constant over time and across environments - such as attack vector, attack complexity, privileges required, and impac
Question
During a recent vulnerability assessment of a major corporation's IT systems, the security team identified several potential risks. They want to use a vulnerability scoring system to quantify and prioritize these vulnerabilities. They decide to use the Common Vulnerability Scoring System (CVSS). Given the characteristics of the identified vulnerabilities, which of the following statements is the most accurate regarding the metric types used by CVSS to measure these vulnerabilities?
Options
- ATemporal metric represents the inherent qualities of a vulnerability
- BBase metric represents the inherent qualities of a vulnerability
- CEnvironmental metric involves the features that change during the lifetime of the vulnerability
- DTemporal metric involves measuring vulnerabilities based on a_ specific environment or
Explanation
CVSS Metric Types Explained
Option B is correct because the Base metric in CVSS captures the intrinsic, fundamental characteristics of a vulnerability that remain constant over time and across environments - such as attack vector, attack complexity, privileges required, and impact on confidentiality, integrity, and availability. These qualities are inherent to the vulnerability itself, regardless of external factors.
Why the distractors are wrong:
- Option A is incorrect because Temporal metrics reflect characteristics that change over time, such as exploit code maturity, remediation level, and report confidence - not inherent qualities.
- Option C is incorrect because it describes Temporal metrics (things that evolve over a vulnerability's lifetime), not Environmental metrics, which measure impact based on a specific organizational context.
- Option D is incorrect because measuring vulnerabilities in a specific environment describes Environmental metrics, not Temporal metrics - these are swapped.
Memory Tip: Think "B = Base = Born with it" - Base metrics are what the vulnerability is born with (inherent qualities). Temporal = Time changes it, and Environmental = where it lives (your specific organization). This B-T-E framework (Born, Time, Environment) keeps the three metric types clearly organized in your mind.
Topics
Community Discussion
No community discussion yet for this question.