Tripwire Adds Comprehensive Support for CVSS Version 3.0 in Tripwire IP360

Industry-leading vulnerability management solution supports updated vulnerability scoring standard

PORTLAND, Ore. December 2, 2015 Tripwire, Inc., a leading provider of advanced threat, security and compliance solutions, today announced comprehensive platform support for Common Vulnerability Scoring System (CVSS) version 3.0 in Tripwire® IP360Tripwire® IP360, making it easy to share vulnerability and risk information across organizations.

CVSS is a universal open, standardized system for rating IT vulnerabilities and determining the urgency of response. CVSS is developed by The Forum of Incident Response and Security Teams (FIRST) and the most recent version has been under development since 2012. CVSS 3.0 includes several new metrics designed to improve the accuracy of the standard including metrics that more clearly reflect new attack vectors and recent changes in the threatscape.

In addition to CVSS 3.0 support, Tripwire IP360 is the industry leader in comprehensive and customizable vulnerability scoring solutions. Tripwire IP360 uses a unique scoring model that provides a distinction between vulnerable conditions by using an atomic measurement of risk that changes over time based on factors that are independent of the system or network that exhibits the vulnerability. Tripwire’s scoring model also incorporates the unique business context of each asset.

“The Tripwire Vulnerability Score allows customers to prioritize vulnerabilities for remediation at a granular level, but it’s important to also represent vulnerability risk in industry standard metrics,” said Tim Erlin, director of IT risk and security strategy for Tripwire. “CVSS is a key metric across industries and Tripwire’s support for CVSS 3.0, the Tripwire Vulnerability Score and summary reporting gives customers the ability to measure and manage risk at multiple levels and for multiple audiences and demonstrates our continuing leadership in vulnerability management scoring.”

CVSS is an open framework designed to clearly communicate the characteristics and impacts of IT vulnerabilities. It uses a quantitative model designed to provide a consistent, standardized and transparent measurement system for IT vulnerabilities which can be used across industries, organizations and governments.

New CVSS 3.0 features include:

  • Exploitability metrics are now calculated separately for vulnerable and impacted components. These distinctions are important in many web application and cross-site vulnerabilities as well as escapes from sandboxes and guest virtual machines.
  • The attack vector metric now includes physical access as a possible value to more accurately describe attacks that require physical access to a vulnerable subsystem.
  • The authentication metric has been changed and is now referred to as the privileges required metric. It reflects the greatest privileges required by an attacker.
  • The impact metric has shifted from quantitative to qualitative values.
  • The new vulnerability chaining metric offers guidance on scoring multiple vulnerabilities.

For more information about Tripwire IP360, please visit:

About Tripwire

Tripwire is a leading provider of security, compliance and IT operations solutions for enterprises, industrial organizations, service providers and government agencies. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business context; together these solutions integrate and automate security and IT operations. Tripwire’s portfolio of enterprise-class solutions includes configuration and policy management, file integrity monitoring, vulnerability management, log management, and reporting and analytics. Learn more at, get security news, trends and insights at or follow us on Twitter @TripwireInc.

Press Contacts

Ray Lapena
PR Manager