Which of the following statements BEST describes how a cybersecurity analyst should use CVSS Base scores when deciding which vulnerabilities to remediate first?
Numeric severity ratings are largely irrelevant; only the monetary value of the affected asset matters when prioritizing fixes.
Including the CVSS Environmental and Threat metrics is discouraged because they reduce scoring accuracy.
A CVSS Base score alone provides complete risk context and should always dictate remediation order.
A CVSS Base score indicates technical severity, but analysts must also factor in exploit availability, asset value, and environmental context before setting priorities.
CVSS Base scores are valuable for expressing the intrinsic technical severity of a vulnerability, but they do not account for factors such as asset criticality, exposure in the specific environment, availability of exploits, or business impact. Effective prioritization therefore combines the CVSS severity with contextual information (e.g., whether the vulnerable service is Internet-facing, the presence of compensating controls, and the value of the affected data or system). Relying on the numeric score alone can lead to mis-prioritization.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What other factors should I consider when prioritizing security vulnerabilities?
Open an interactive chat with Bash
What are standardized scoring systems for vulnerabilities?
Open an interactive chat with Bash
How can real-world exploits influence vulnerability prioritization?