Because severity terminology can vary between projects, Twistlock normalizes severity ratings into a common schema. Twistlock leverages the CVSS 3.0 scoring system.
We only normalize vulnerability ratings for the purpose of creating rules. Console’s Monitoring section shows vendor terminology, not Twistlock’s normalized scores (low, medium, high, critical).
The following table maps popular vendor terminology to Twistlock normalized scores:
Vendor terminology | Twistlock score |
---|---|
Unimportant |
Low |
Unassigned |
Low |
Negligible |
Low |
Not yet assigned |
Low |
Low |
Low |
Medium |
Medium |
Moderate |
Medium |
High |
High |
Important |
High |
Critical |
Critical |
In the absence of project-specific terminology, Twistlock normalizes using the CVSS base scores defined by NIST. In addition to the numeric CVSS scores, NVD provides severity rankings of Low, Medium, High, and Critical. These qualitative rankings are simply mapped from the numeric CVSS scores:
CVSS base score | Twistlock severity |
---|---|
0.0 - 3.9 |
Low |
4.0 - 6.9 |
Medium |
7.0 - 8.9 |
High |
9.0 -10.0 |
Critical |