SupportSnyk LearnAPI referenceProduct updatesSign up for free
Edit

Risk Score

Risk Score is currently in Closed Beta for Snyk Open Source. If you are interested in replacing the Priority Score with the Risk Score, please contact your Snyk account team. See Snyk feature release process for more details.

Overview

The Snyk Risk Score is a single value assigned to an issue, applied by automatic risk analysis for each security issue and based on the potential impact and likelihood of exploitability. Ranging from 0-1000, the score represents the risk imposed on your environment and enables a risk-based prioritization approach.

Since real risk is scarce, you should expect a significant drift in the distribution of scores, as can be seen in this example Project scores distributions:

Example Project scores distribution
Example Project scores distribution

As part of the closed beta, the Risk Score replaces the Priority Score directly. See the priority score docs for how to interact with it in the UI, API, and Reports.

The Priority Score will be replaced with the Risk Score upon retest of Projects.

About the Risk Score Model

The Snyk Risk Score Model

The model that powers the Risk Score applies automatic risk analysis for each security issue based on the potential impact and likelihood of exploitability.

The Risk Model is the result of extensive research conducted by the Snyk Security data science team and experienced security researchers. It draws upon years of expertise in developing the Snyk Vulnerability DB.

Impact subscore

  • Objective impact factors are the CVSS impact metrics (Availability, Confidentiality, Integrity, and Scope) and are calculated based on the CVSS impact subscore.

  • Coming soon - Business criticality Project attribute (learn more) will be taken into account as a contextual impact factor, increasing or decreasing the impact subscore.

Likelihood subscore

  • Objective likelihood factors are taken into account:

    • Exploit Maturity

    • Exploit Prediction Scoring System (EPSS)

    • Age of advisory

    • CVSS exploitability metrics (Attack vector, Privileges required, User interaction, and Scope)

    • Social Trends

    • Malicious Package

    • Coming soon - Disputed vulnerability and Package popularity

  • Contextual likelihood factors then ncrease or decrease the likelihood subscore:

    • Reachability (Java only, JavaScript coming soon)

    • Transitive depth

    • Coming soon - Insights such as public exposure and vulnerability condition applicability

Impact and Likelihood scores are then multiplied into a final Risk Score.

"Fixability" is no longer considered as part of the Score Calculation, as the effort needed to mitigate a security issue does not affect the Risk it imposes. To focus on actionable issues first, use Fixability filters and then use the Risk Score to start with the riskiest issues.

Risk factors drill down

Objective impact risk factors

Confidentiality

Represents the impact on customer’s data confidentiality, based on CVSS definition.

Possible input values: None, Low, High

Integrity

Represents the impact on customer’s data integrity, based on CVSS definition.

Possible input values: None, Low, High

Availability

Represents the impact of customer’s application availability, based on CVSS definition.

Possible input values: None, Low, High

Scope

Represents whether the vulnerability can affect components outside of the target’s security scope, based on CVSS definition.

Possible input values: Unchanged, Changed

How would these affect the score? The objective impact subscore is calculated based on the CVSS impact subscore. Learn more on CVSS impact definitions and subscore equations

Contextual impact risk factors (Coming Soon)

Business Criticality

User-defined Project attribute representing the subjective business impact of the respective application (learn more)

Possible input values: Critical, High, Medium, Low

How would this affect the score? Critical - Impact subscore will increase High - Impact subscore will not be affected Medium - Impact subscore will decrease Low - Impact subscore will decrease significantly

Objective likelihood risk factors

EPSS score

Exploit Prediction Scoring System, predicting whether a CVE would be exploited in the wild, based on an elaborated model created and owned by the FIRST Organization. The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.

Possible input values: EPSS score [0.00-1.00]

How would this affect the score? The likelihood subscore will increase significantly according to the EPSS score

Exploit Maturity

Represents the existence and maturity of any public exploit retrieved and validated by Snyk (learn more)

Possible input values: None, Proof of Concept, Functional, High

How would this affect the score? The likelihood subscore will increase significantly according to the level of Exploit Maturity

Malicious Package

Malicious code deployed as a supply chain dependency is considered highly exploitable

Possible input values: True, False

How would this affect the score?

The Likelihood subscore will increase significantly for Malicious Packages

Attack Complexity

Represents the level of complexity defined by the conditions that must exist to exploit the vulnerability, based on the CVSS definition.

Possible input values: Low, High

How would this affect the score?

Low - Likelihood subscore will increase

High - Likelihood subscore will decrease

Attack Vector

Represents the context by which vulnerability exploitation is possible, based on the CVSS definition.

Possible input values: Network, Adjacent, Local, Physical

How would this affect the score?

Network - Likelihood subscore will increase

Adjacent, Local, Physical - Likelihood subscore will decrease according to the level of remote access needed for exploit

Privileges Required

Represents the level of privileges an attacker must possess before successfully exploiting the vulnerability, based on the CVSS definition.

Possible input values: None, Low, High

How would this affect the score?

None - Likelihood subscore will increase

Low, High - Likelihood subscore will decrease according to the level of privileges required

User Interaction

Represents the need for action from a user as part of the exploitation process, based on the CVSS definition.

Possible input values: None, Required

How would this affect the score?

None - Likelihood subscore will increase

Required - Likelihood subscore will decrease

Social Trends

Represents the social media traffic regarding this vulnerability. Our research has shown that greater social media interaction can predict future exploitation or point to existing exploitation (learn more).

Possible input values: Currently Trending, Not trending

How would this affect the score?

Currently Trending - Likelihood subscore will increase

Not trending - Likelihood subscore will not change

Age of vulnerability

A new vulnerability (up to 1 year) is more likely to be exploited than an old one (more than 1 year since publication)

Possible input values: Less than 1 year old, Over 1 year old

How would this affect the score?

Less than 1 year old - Likelihood subscore will increase

Over 1 year old - Likelihood subscore will decrease

Package Popularity (Coming Soon)

If a package is more popular (relative to its ecosystem), it is more likely to be exploited as hackers benefit from a wider pool of potential targets.

Possible input values: Popularity percentile rank [1-100]

How would this affect the score?

The likelihood subscore will increase based on the popularity rank.

CVE disputed (Coming Soon)

These are CVEs that have been acknowledged as being disputed by their Project maintainer or the community at large. Our research shows that none of the disputed CVEs in the Snyk Vulnerability DB have been exploited in the wild.

Possible input values: True, False

How would this affect the score?

True - Likelihood subscore will decrease significantly

False - Likelihood subscore will not change

Contextual likelihood risk factors

Transitive Depth

Building on past studies, Snyk’s research has shown that if a vulnerability is introduced to a Project transitively rather than directly, it’s less likely for an exploitable function path to exist

Possible input values: Direct dependency, Indirect dependency, Great transitive depth (coming soon)

How would this affect the score?

Direct Dependency - Likelihood subscore will not change

Indirect Dependency - Likelihood subscore will decrease

Great transitive depth - Likelihood subscore will decrease significantly

Reachability

Snyk static code analysis determines whether the vulnerable method is being called. (Currently only supported in Java, JS coming soon. Learn more.)

Possible input values: Reachable, No path found, Undefined

How would this affect the score?

Reachable - Likelihood subscore will increase, Transitive Depth will not be taken into account.

Not reachable - Likelihood subscore will not change

Undefined - Likelihood subscore will not change

Platform Condition (Coming Soon)

Whether the operating system and architecture of a given resource are relevant to this specific issue or not

Possible input values: Condition not met, Condition met, Undefined

How would this affect the score?

Condition not met - Likelihood subscore will decrease significantly

Condition met, Undefined - Likelihood subscore will not change.

Deployed (Coming Soon)

Whether the container image introducing this issue is deployed or not

Possible input values: Deployed, Not Deployed, Undefined

How would this affect the score?

Deployed - Likelihood subscore will increase

Not Deployed - Likelihood subscore will decrease

Undefined - Likelihood subscore will not change

Public Facing (Coming Soon)

Whether the asset introducing this issue is exposed to the internet or not Public Facing Likelihood subscore will increase

Possible input values: Public Facing, Not Public Facing, Undefined

How would this affect the score?

Public Facing - Likelihood subscore will increase

Not Public Facing - Likelihood subscore will decrease

Undefined - Likelihood subscore will not change

All factor names and their effect on the score are subject to change during the beta period

PreviousPriority ScoreNextIgnore issues

Last updated

Was this helpful?

#4707: More info: Update pricing plans page

Change request updated