CISSP Exam - Question 153

A is correct https://cve.mitre.org/about/cve_and_nvd_relationship.html

Answer is correct "A CVSS score is composed of three sets of metrics (Base, Temporal, Environmental), each of which have an underlying scoring component." https://www.balbix.com/insights/understanding-cvss-scores/

C is Correct The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental https://nvd.nist.gov/vuln-metrics/cvss

Metrics and character = cvss https://nvd.nist.gov/vuln/vulnerability-detail-pages

i agree with Vino, it is A

CVE is a list of publicly disclosed cybersecurity vulnerabilities and exposures that is free to search, use, and incorporate into products and services. NVD, a U.S. government repository, is the CVE List augmented with additional analysis, a database, and a fine-grained search engine. The NVD is synchronized with CVE such that any updates to CVE appear immediately on the NVD. https://nvd.nist.gov/general/FAQ-Sections/General-FAQs

CVSS - Keyword here is Metrics

The framework that provides vulnerability metrics and characteristics to support the National Vulnerability Database (NVD) is the Common Vulnerability Scoring System (CVSS). CVSS is a standardized framework for assessing and rating the severity of vulnerabilities. It provides a set of metrics and scores that help to quantify the impact and exploitability of vulnerabilities. These scores are used by the NVD to provide consistent and objective information about vulnerabilities in various software and systems. Therefore, option C, Common Vulnerability Scoring System (CVSS), is the correct answer.

Given answer is correct: ! The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities: https://nvd.nist.gov/

C is the best answer. https://ieeexplore.ieee.org/abstract/document/8594738

Reference : https://www.balbix.com/insights/whats-the-difference-between-cve-and-cvss/

C-The Common Vulnerability Scoring System (aka CVSS Scores) provides a numerical (0-10) representation of the severity of an information security vulnerability. CVSS scores are commonly used by infosec teams as part of a vulnerability management program to provide a point of comparison between vulnerabilities, and to prioritize remediation of vulnerabilities. A CVSS score is composed of three sets of metrics (Base, Temporal, Environmental), each of which have an underlying scoring component.

C. "The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. The National Vulnerability Database (NVD) provides specific CVSS scores for publicly known vulnerabilities." https://www.govinfo.gov/content/pkg/GOVPUB-C13-19c8184048f013016412405161920394/pdf/GOVPUB-C13-19c8184048f013016412405161920394.pdf

CVSS is the framework for creating the metrics that determine CVEs. key word here is metrics

CVSS is the correct answer. what about CVE? It gives you characteristics but not the metrics. Score on CVSS is the metric for example