Because severity terminology can vary between projects, Twistlock normalizes severity ratings into a common schema. Twistlock leverages the CVSS 3.0 scoring system.

Table of Contents

1. Mappings

We only normalize vulnerability ratings for the purpose of creating rules. Console’s Monitoring section shows vendor terminology, not Twistlock’s normalized scores (low, medium, high, critical).

The following table maps popular vendor terminology to Twistlock normalized scores:

Vendor terminology Twistlock score

Unimportant

Low

Unassigned

Low

Negligible

Low

Not yet assigned

Low

Low

Low

Medium

Medium

Moderate

Medium

High

High

Important

High

Critical

Critical

In the absence of project-specific terminology, Twistlock normalizes using the CVSS base scores defined by NIST. In addition to the numeric CVSS scores, NVD provides severity rankings of Low, Medium, High, and Critical. These qualitative rankings are simply mapped from the numeric CVSS scores:

CVSS base score Twistlock severity

0.0 - 3.9

Low

4.0 - 6.9

Medium

7.0 - 8.9

High

9.0 -10.0

Critical