Embedded Files
UC2 Risk Ruler
Visualizing Precision, Maturity, and Confidence
Visualizing Precision, Maturity, and Confidence
The UC2 Risk Ruler enhances the Common Vulnerability Scoring System (CVSS) version 4.0 by adding a visual representation of maturity, confidence, and precision to vulnerability scores. CVSS 4.0 provides a standardized set of qualitative severity labels — None, Low, Medium, High, and Critical — which map to numeric scores for assessing the potential severity of vulnerabilities. However, CVSS alone does not account for the difference between the exact numerical score (precision), the expert judgment regarding the assessment’s reliability (confidence), and the completeness of the available metric groups (maturity). The UC2 Risk Ruler bridges this gap, allowing stakeholders to see not only how a CVSS numeric score aligns with bins that reflect uncertainty, but also explicitly distinguishes between the score’s numerical exactness and the completeness of its underlying metric groups. This added dimension supports more transparent and defensible cybersecurity decision-making.
Vuln Con 2025
Vuln Con 2025
Here is the talk I gave at Vuln Con 2025. It introduces the UC2 Risk Ruler for CVSS 4.0 and provides a sneak peek at the CVSS Maturity Model that is currently under development.
Released under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license. You are encouraged to distribute, use, remix, or build upon this work. However, you must give credit as
“Rob Arnold, Acorn Pass, LLC - https://AcornPass.com”
and you must share any derivatives under the same terms along with original credit.
UC2 Risk Ruler
For CVSS
UC2 Risk Ruler
For CVSS
Download the introduction for FREE!
Please Contact the Author with feedback, questions, or help with bespoke implementations.
Report abuse