CVSS 4.0: compute score (T and E)

[tschmidtb51]

For CVSS 4.0, only the overall score is provided - the threatScore and the environmentalScore that the JSON schema lists, are not presented.

[YanWittmann]

Thank you for your input; I must admit that during research and implementation, I have not seen a "threat" or "environmental" score being defined anywhere in the CVSS 4.0 specification or the official implementation, which both only define and provide the base score.

The same goes for this go implementation that only returns one base score.

This also does not conform with my understanding of the "CVSS-BTE" nomenclature, where only one score is calculated and interpreted in a different way depending on the metrics used to calculate it.

• The only way these scores would make sense to me right now would be to leave away the threat metrics on the environmental score and the other way around, leave away the environmental metrics on the threat score.
  But I wouldn't find that too useful, so I'm not sure what the actual way of calculating these are.
• Or do they represent an intermediate result on the way to calculating the base score?

If you would be as kind as to point me in the right direction for this? I would be very interested, as I've been looking for a way to calculate these myself, but was unable to find anything.

[tschmidtb51]

If you would be as kind as to point me in the right direction for this? I would be very interested, as I've been looking for a way to calculate these myself, but was unable to find anything.

I'm not sure whether I'm able to do that. According to the JSON schema, those values exist... Maybe, you could reach out to the CVSS SIG to ask them about this?

[YanWittmann]

All right, I will be doing that next week. Thank you also for your other issues, we will be addressing them as soon as possible.