Exam CISSP topic 1 question 153 discussion

A is correct https://cve.mitre.org/about/cve_and_nvd_relationship.html

CVSS is the correct answer. what about CVE? It gives you characteristics but not the metrics. Score on CVSS is the metric for example

CVSS is the framework for creating the metrics that determine CVEs. key word here is metrics

The framework that provides vulnerability metrics and characteristics to support the National Vulnerability Database (NVD) is the Common Vulnerability Scoring System (CVSS). CVSS is a standardized framework for assessing and rating the severity of vulnerabilities. It provides a set of metrics and scores that help to quantify the impact and exploitability of vulnerabilities. These scores are used by the NVD to provide consistent and objective information about vulnerabilities in various software and systems. Therefore, option C, Common Vulnerability Scoring System (CVSS), is the correct answer.

C. "The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. The National Vulnerability Database (NVD) provides specific CVSS scores for publicly known vulnerabilities." https://www.govinfo.gov/content/pkg/GOVPUB-C13-19c8184048f013016412405161920394/pdf/GOVPUB-C13-19c8184048f013016412405161920394.pdf

C-The Common Vulnerability Scoring System (aka CVSS Scores) provides a numerical (0-10) representation of the severity of an information security vulnerability. CVSS scores are commonly used by infosec teams as part of a vulnerability management program to provide a point of comparison between vulnerabilities, and to prioritize remediation of vulnerabilities. A CVSS score is composed of three sets of metrics (Base, Temporal, Environmental), each of which have an underlying scoring component.

CVSS - Keyword here is Metrics

Reference : https://www.balbix.com/insights/whats-the-difference-between-cve-and-cvss/

C is the best answer. https://ieeexplore.ieee.org/abstract/document/8594738

Given answer is correct: ! The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities: https://nvd.nist.gov/

Metrics and character = cvss https://nvd.nist.gov/vuln/vulnerability-detail-pages

CVE is a list of publicly disclosed cybersecurity vulnerabilities and exposures that is free to search, use, and incorporate into products and services. NVD, a U.S. government repository, is the CVE List augmented with additional analysis, a database, and a fine-grained search engine. The NVD is synchronized with CVE such that any updates to CVE appear immediately on the NVD. https://nvd.nist.gov/general/FAQ-Sections/General-FAQs

C is Correct The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental https://nvd.nist.gov/vuln-metrics/cvss

i agree with Vino, it is A

Answer is correct "A CVSS score is composed of three sets of metrics (Base, Temporal, Environmental), each of which have an underlying scoring component." https://www.balbix.com/insights/understanding-cvss-scores/