Impact and probability ratings are typically assigned statically depending on the industry-accepted level, in-line with the ratings you would normally see in a penetration test. Some of our impact scores are also dynamically modified depending on mitigating factors, e.g. if authentication is required to access a component or if permissions are restricting a typically powerful attack.
A lot of the time the impact levels might align with CVSS scores but there are cases where it doesn’t. There are some vulnerabilities, for example. that don’t align well to CVSS scoring. This is true of any vulnerability that is used to attack the user via a vulnerability in your application rather than specifically attacking the system to compromise its data. The Integrity, Confidentiality and Availability elements to a CVSS score apply directly to the data on the system, therefore vulnerabilities such as Cross-Site Scripting (XSS) and other attacks against the Same Origin Policy don’t really apply and therefore end up being a CVSS 4.3. However, XSS vulnerabilities are typically reported as High in both penetration testing and scanning due to the real-world impact they can achieve.
CVSS scores are quite limited by the Integrity, Confidentiality and Availability categories. They have 3 options, None, Partial and Complete. We find this can limit our ability to differentiate between vulnerabilities, e.g. when a flaw allows more than a partial compromise but isn’t necessarily “complete”. An example of this is a Path Traversal Vulnerably. This attack normally allows you to read files from the local file system. When graded using CVSS it can come out as a Medium, however in many cases we are able to read sensitive configuration data from local files which can then be used to fully compromise the system. For this reason, we report all Path Traversals that allow sensitive file access as High, but also provide CVSS scores since you may need this for compliance requirements such as PCI.