Error in episode "Vulnerability Management: CVSS Part 2" in the course "CompTIA CySA+ (CS0-001) Course Subtitle: CompTIA Cybersecurity Analyst"

---

Hello,

I think I have found an error in the episode mentioned above when you talk about the CVSS Base Score Categorization (otherwise known as severity ratings).

You say that when the base score is equal or greater than 6.0 but less than 10.0, it is considered as medium. Whereas critical equals to 10.0.
But actually, in the CVSS specification, there wasn't any severity rating given to the score in version 2.0. See this page.

On the other hand, CVSSv3.0 has the ratings Low, Medium, High, and Critical. Critical starting from 9.0 up until 10.0. See the specification documentation here.

What is confusing, though, is that NIST gives their own severity ratings for version 2, but critical doesn't exist. See this page under NVD Vulnerability Severity Ratings.

Could you confirm please?

By the way, who is the official source for the CVSS specification?

@Thomas-Pondant Thomas, Can you chat into our Support team for any technical issues going forward , so that we can provide the best, quickest support? We are experiencing these errors and have reached out to our pur partners for further root cause analysis.

Good catch, Thomas!

Looks like I accidentally used a risk rating scale from one of the security scanners instead of the CVSS documentation. I have them documented together and must have let my eyes drift to the wrong spot. A problem I will remedy by separating them out separately.

Thanks for bringing that to our attention and we will get eyes on it ASAP.