When can we expect to see the new scoring method in InsightVM?
FIRST has officially published the latest version of the Common Vulnerability Scoring System (CVSS v4.0)
https://www.first.org/newsroom/releases/20231101
I found your blog post on the topic but I did not see any info on a ETA.
Right now, we do not have a solid ETA. We will be adding support for CVSS v4 - however we first need to wait for NVD (and/or vendors) to begin adding v4 scores to vulnerabilities.
This is likely to take time to roll out within the industry at large, which may or may not include backdating v4 scores to older vulnerabilities.
Once we start to see v4 scores, we can start to add support. Only then could we be in a position to provide any form of ETA
I’m afraid that the whole picture will become a bit confusing. We will then have to deal with CVSS v2, CVSS v3 and CVSS v4 scoring vulnerabilities in the future. Possibly a good opportunity to work more with the active risk score i guess. 
Somewhat. I think most scoring is at a v3.1 level and v2 is mostly gone. So I think it’s likely that v2 and/or 3 would largely go away. Time will tell though and the active risk is a good metric.
@david_altanian thats what we will be going towards come Feb 2024. Has anyone figured out where the button is to activate this; i do not see it in the weighted options in the Admin page where temporal, real risk etc is. I wondered if that button was coming or is it sort of soft move over to it?
NEVERMIND it must have updated in new version that got pushed out recently; because its there now!
Once we set this what will change; Risk Scores, Will the columns convert to CVSSv3 and not reflect version 2?
Hi @vanessa_villalpando,
In general, it only alters how the Risk Score is calculated. To illustrate the impact of the change, please refer to the screenshot below:
I then began to assess my numerous Scan sites using the Criticality Tag and adjusted the Multipliers accordingly. Like this:
However, this is not advice on how you should proceed. These settings are best suited for our needs. Perhaps another configuration is more suitable for your environment.
We also began using this Dashboard Card regularly to prioritize vulnerability remediation:
This is great information @david_altanian i certainly appreciate the insight. I’ve been wanting to use the criticality tags as in the past we have not unless it was an accidental application of the critical tagging. The admin would freak out and say why is my Risk Score so high?! and we found it was accidently applied. This is a good thing to use to assess the assets and i think if can find our highest priority assets yes we can use this but that will take alot of assessing.
So you did this before even applying the active risk? or are you not using that yet? So if you are using the active risk score now, you also applied the critical tags as well so that would bump up your risk scores a second time? Am i thinking about that right?
Until now, we have not used Rapid7 risk scoring for prioritization, and I have not employed criticality tags to customize the risk scores to our needs.
As seen in the screenshot above, activating “Active Risk” significantly increased the overall risk score. Subsequently, I applied criticality tags to each scan site, resulting in another rise in the risk score. Following that, I adjusted the scores based on criticality tags, leading to a substantial decrease in overall risk. However, this adjustment now better reflects our environment in a more realistic manner.
I have organized my scan sites based on our network layers. For instance, networks in our DMZ have the highest criticality tag because this layer encompasses connections to the internet and internal services. Networks with enhanced security and no internet connections have a lower criticality tag.
Oh okay. We started with and still are using CVSSv2 scoring but have to incorporate the cvssv3 now (which is will active risk will come into play for us) but we use CVSS scoring and after remediation efforts, alot of our admins use the risk score to assess further after that assessing our high critical CVSS scores 8+ which that may drop as well; when we implement the active risk mechanism.
I see your adding criticality tagging to your sites; i forget that option is there not only for individual assets. That’s a great idea. We have sort of the same layout as well.