Values for $n$ greater than 2 create very significant gaps between CVSS scores in the high and critical range.

[EdOverflow]

Description

richinseattle notified me of an interesting issue in our formula when supplying it with values greater than 2 for n.

Steps To Reproduce

Set n to a value greater than 2. I am using n = 6 below.

$$N = \frac{10000}{(10)^6}$$

$$b = N \times (C^6)$$

Result

There is a very large gap between the bounty amount for a CVSS score of 9.0 versus a score of 10.0 — namely $5314 for 9.0 and $10'000 for 10.0.

Potential Solutions

The following are some potential solutions that may even be combined to resolve this problem and other problem for n in the future.

1) Create an S-curve as richinseattle pointed out. ^[1] 2) Form pairs of CVSS scores. ^[2] 3) Base the bounty on the maximum value in the CVSS rating rather than basing it off the CVSS score. This is similar to approach 2). 4) Base n on a large data set. This would allow us to create "realistic" values for n for the three categories mentioned in the write-up. ^[3]

[EdOverflow]

We believe that our latest version of the formula resolves this problem by forcing n to be within the 1.0 to 3.0 range.

We also suggested that users decrease n as b_{max} increases.

We recommend setting a lower value for n as you increase b_{max}. This should ensure that the gap between values in the 7.0 to 10.0 CVSS score range is not too big.