The CERT vulnerability metric value is a number between 0 and 180 that assigns an approximate severity to the vulnerability. This number considers several factors:
- Is information about the vulnerability widely available or known?
- Is the vulnerability being exploited in incidents reported to CERT or other incident response teams?
- Is the Internet infrastructure (for example, routers, name servers, critical Internet protocols) at risk because of this vulnerability?
- How many systems on the Internet are at risk from this vulnerability?
- What is the impact of exploiting the vulnerability?
- How easy is it to exploit the vulnerability?
- What are the preconditions required to exploit the vulnerability?
Because the questions are answered with approximate values based on our own judgments and may differ significantly from one site to another, readers should not rely too heavily on the metric for prioritizing their response to vulnerabilities. Rather, this metric may be useful for separating the serious vulnerabilities from the larger number of less severe vulnerabilities described in the database. Because the questions are not all weighted equally, the resulting score is not linear; that is, a vulnerability with a metric of 40 is not twice as severe as one with a metric of 20.
An alternative vulnerability severity metric is the Common Vulnerability Scoring System (CVSS).