-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathscoring.html
More file actions
280 lines (249 loc) · 16.9 KB
/
Copy pathscoring.html
File metadata and controls
280 lines (249 loc) · 16.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Scoring — AVE Behavioral Classification Standard</title>
<meta name="description" content="The AIVSS v0.8 scoring formula used by every AVE record. Covers CVSS base, AARS, ThM, AARF factors, and two fully worked examples from published records.">
<meta name="robots" content="index, follow">
<meta name="theme-color" content="#0a3024">
<link rel="canonical" href="https://aveproject.org/scoring.html">
<!-- Open Graph / social sharing -->
<meta property="og:type" content="website">
<meta property="og:url" content="https://aveproject.org/scoring.html">
<meta property="og:title" content="Scoring — AVE Behavioral Classification Standard">
<meta property="og:description" content="The AIVSS v0.8 scoring formula used by every AVE record. Covers CVSS base, AARS, ThM, AARF factors, and two fully worked examples from published records.">
<meta property="og:image" content="https://aveproject.org/ave-favicon-512.png">
<meta property="og:image:width" content="512">
<meta property="og:image:height" content="512">
<meta property="og:site_name" content="AVE — Agentic Vulnerability Enumeration">
<!-- Twitter card -->
<meta name="twitter:card" content="summary">
<meta name="twitter:site" content="@bawbel_io">
<meta name="twitter:title" content="Scoring — AVE Behavioral Classification Standard">
<meta name="twitter:description" content="The AIVSS v0.8 scoring formula used by every AVE record. Covers CVSS base, AARS, ThM, AARF factors, and two fully worked examples from published records.">
<meta name="twitter:image" content="https://aveproject.org/ave-favicon-512.png">
<!-- Favicons -->
<link rel="icon" href="/favicon.ico" sizes="any">
<link rel="icon" href="/ave-favicon.svg" type="image/svg+xml">
<link rel="apple-touch-icon" href="/apple-touch-icon.png">
<link rel="manifest" href="/manifest.json">
<!-- Google tag (gtag.js) -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-KV0S12VEF3"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'G-KV0S12VEF3');
</script>
<!-- Structured data -->
<script type="application/ld+json">
{
"@context": "https://schema.org",
"@type": "WebSite",
"name": "AVE — Agentic Vulnerability Enumeration",
"url": "https://aveproject.org",
"description": "The behavioral classification standard for agentic AI components.",
"publisher": {
"@type": "Organization",
"name": "Bawbel",
"url": "https://bawbel.io",
"logo": {
"@type": "ImageObject",
"url": "https://aveproject.org/ave-favicon-512.png",
"width": 512,
"height": 512
}
},
"potentialAction": {
"@type": "SearchAction",
"target": {
"@type": "EntryPoint",
"urlTemplate": "https://aveproject.org/registry.html?q={{search_term_string}}"
},
"query-input": "required name=search_term_string"
}
}
</script>
<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link href="https://fonts.googleapis.com/css2?family=IBM+Plex+Mono:wght@400;500;600&family=IBM+Plex+Sans:wght@400;500;600;700&family=Playfair+Display:wght@700;800&display=swap" rel="stylesheet">
<link rel="stylesheet" href="styles.css">
</head>
<body>
<div class="topbar">
<div class="wrap">
<a class="brandmark" href="index.html">
<svg width="34" height="34" viewBox="0 0 40 40" aria-hidden="true">
<path d="M20 6 C28 6 36 13 38 22 C30 20 24 22 20 27 C16 22 10 20 2 22 C4 13 12 6 20 6 Z" fill="#d4a017"/>
<path d="M20 27 L20 36 M20 27 C18 30 16 32 14 33 M20 27 C22 30 24 32 26 33" stroke="#9ec3b2" stroke-width="1.6" fill="none" stroke-linecap="round"/>
<circle cx="14.5" cy="17" r="1.6" fill="#0a3024"/><circle cx="25.5" cy="17" r="1.6" fill="#0a3024"/>
</svg>
<span>
<span class="wm">A<b>V</b>E</span>
<span class="sub">Agentic Vulnerability Enumeration</span>
</span>
</a>
<input type="checkbox" id="nav-toggle" class="nav-toggle">
<label for="nav-toggle" class="nav-toggle-label" aria-label="Toggle navigation">
<svg class="icon-open" viewBox="0 0 24 24" fill="none" stroke="#eaf3ee" stroke-width="2" stroke-linecap="round"><line x1="3" y1="6" x2="21" y2="6"/><line x1="3" y1="12" x2="21" y2="12"/><line x1="3" y1="18" x2="21" y2="18"/></svg>
<svg class="icon-close" viewBox="0 0 24 24" fill="none" stroke="#eaf3ee" stroke-width="2" stroke-linecap="round"><line x1="6" y1="6" x2="18" y2="18"/><line x1="6" y1="18" x2="18" y2="6"/></svg>
</label>
<nav class="topnav">
<a href="registry.html">Registry</a>
<a href="crosswalks.html">Crosswalks</a>
<a href="architecture.html">Architecture</a>
<a href="scoring.html" class="active">Scoring</a>
<a href="schema.html">Schema</a>
<a class="gh" href="https://github.com/bawbel/ave" target="_blank">GitHub</a>
</nav>
</div>
</div>
<header class="pagehead">
<div class="wrap">
<span class="pill">Scoring · OWASP AIVSS v0.8</span>
<h1>Scoring</h1>
<p>How AVE scores every behavioral classification record — the AIVSS v0.8 formula,
the 10 AARF amplification factors, and worked examples from real records.</p>
</div>
</header>
<article class="doc">
<div class="wrap">
<p class="lead">AVE does not invent its own scoring system. Every record is scored using <a href="https://aivss.owasp.org" target="_blank">OWASP AIVSS v0.8</a> — the AI Vulnerability Severity Scoring standard. AVE implements AIVSS; it does not own or modify it. This page documents how that scoring works inside an AVE record, so a researcher writing a new record or a reviewer checking an existing one can verify the number is right.</p>
<h2>The formula</h2>
<div class="codeblock"><span class="g">AIVSS</span> = ((<span class="g">CVSS_Base</span> + <span class="g">AARS</span>) / 2) × <span class="g">ThM</span> × <span class="g">Mitigation_Factor</span></div>
<p>Four inputs, each explained below:</p>
<div class="tbl-wrap"><table class="ref">
<thead><tr><th>Term</th><th>Range</th><th>What it is</th></tr></thead>
<tbody>
<tr><td class="mono">CVSS_Base</td><td class="mono">0–10</td><td>Standard CVSS 4.0 base score for the underlying flaw, independent of agentic context. Stored as <code>aivss.cvss_base</code>.</td></tr>
<tr><td class="mono">AARS</td><td class="mono">0–10</td><td>Agentic Amplification & Reachability Score — the sum of the 10 AARF factors below. Stored as <code>aivss.aars</code>.</td></tr>
<tr><td class="mono">ThM</td><td class="mono">0.5–1.5</td><td>Threat & Heuristic Multiplier — how real-world the threat is. Stored as <code>aivss.thm</code>.</td></tr>
<tr><td class="mono">Mitigation_Factor</td><td class="mono">0–1</td><td>How much available mitigation reduces real-world risk. Stored as <code>aivss.mitigation_factor</code>.</td></tr>
</tbody>
</table></div>
<div class="callout">
<span class="k">Why average CVSS and AARS, not just use AARS</span>
<p>AIVSS does not replace CVSS — it extends it. Averaging CVSS_Base with AARS means a class with a low traditional severity but high agentic amplification (or the reverse) lands in the middle rather than at either extreme. A record is never scored purely on how “agentic” it is.</p>
</div>
<h2>AARS — the 10 AARF factors</h2>
<p>AARS is the sum of 10 Agentic Amplification and Risk Factors (AARF), each scored 0.0 (not applicable) to 1.0 (fully applicable). They live in <code>aivss.aarf</code> as an optional breakdown object.</p>
<div class="tbl-wrap"><table class="ref">
<thead><tr><th>Factor</th><th>Score 1.0 when…</th></tr></thead>
<tbody>
<tr><td class="mono">autonomy</td><td>the agent acts without human confirmation</td></tr>
<tr><td class="mono">tool_use</td><td>the component grants access to external tools or APIs</td></tr>
<tr><td class="mono">multi_agent</td><td>the attack chains across multiple agents</td></tr>
<tr><td class="mono">non_determinism</td><td>behavior varies unpredictably across runs</td></tr>
<tr><td class="mono">self_modification</td><td>the component can alter its own instructions at runtime</td></tr>
<tr><td class="mono">dynamic_identity</td><td>the component assumes roles or personas</td></tr>
<tr><td class="mono">persistent_memory</td><td>state is retained across sessions</td></tr>
<tr><td class="mono">natural_language_input</td><td>instructions are delivered via natural language</td></tr>
<tr><td class="mono">data_access</td><td>the component reads sensitive data (files, env, databases)</td></tr>
<tr><td class="mono">external_dependencies</td><td>the component loads remote code or content</td></tr>
</tbody>
</table></div>
<p>Intermediate values (0.5) are used when a factor partially applies. AARS is simply the sum of all 10 — a record where every factor scores 1.0 has an AARS of 10.</p>
<h2>ThM — Threat & Heuristic Multiplier</h2>
<p>ThM reflects how real the threat is right now, independent of severity. It is set by the researcher authoring the record, based on observed evidence.</p>
<div class="tbl-wrap"><table class="ref">
<thead><tr><th>ThM</th><th>When to use it</th></tr></thead>
<tbody>
<tr><td class="mono">0.75</td><td>Theoretical — no known proof of concept</td></tr>
<tr><td class="mono">0.90</td><td>A working proof of concept exists</td></tr>
<tr><td class="mono">1.0</td><td>Exploited in the wild, or weaponised</td></tr>
</tbody>
</table></div>
<h2>Severity bands</h2>
<p>The final AIVSS score maps to <code>severity</code>, which must agree with <code>aivss.aivss_score</code>:</p>
<div class="tbl-wrap"><table class="ref">
<thead><tr><th>Band</th><th>AIVSS range</th></tr></thead>
<tbody>
<tr><td><span class="req y">CRITICAL</span></td><td class="mono">≥ 9.0</td></tr>
<tr><td><span class="req n" style="color:#c98a3a;background:#fdeed2">HIGH</span></td><td class="mono">7.0–8.9</td></tr>
<tr><td><span class="req n">MEDIUM</span></td><td class="mono">4.0–6.9</td></tr>
<tr><td><span class="req n">LOW</span></td><td class="mono">< 4.0</td></tr>
</tbody>
</table></div>
<h2>Worked example — AVE-2026-00046</h2>
<p>AVE's only CRITICAL-severity record: <em>MCP tool hook hijacking</em>. Here is its real <code>aivss</code> object and how the final score was derived.</p>
<figure>
<svg viewBox="0 0 920 360" role="img" aria-label="AIVSS calculation for AVE-2026-00046" fill="#11201a">
<rect class="b-teal-h" x="40" y="30" width="840" height="84" rx="10"/>
<text class="t-title" x="62" y="58">Step 1 — inputs</text>
<text class="t-sub" x="62" y="82">CVSS_Base = 10.0</text>
<text class="t-sub" x="240" y="82">AARS = 8.5 (sum of AARF factors below)</text>
<text class="t-sub" x="560" y="82">ThM = 1.0 · Mitigation_Factor = 1.0</text>
<rect class="b-amber" x="40" y="134" width="840" height="124" rx="10"/>
<text class="t-title" x="62" y="162">Step 2 — AARF factors (sum = AARS)</text>
<text class="t-sub" x="62" y="186">autonomy 1.0 · tool_use 1.0 · multi_agent 0.5 · non_determinism 0.5 · self_modification 1.0</text>
<text class="t-sub" x="62" y="208">dynamic_identity 1.0 · persistent_memory 0.5 · natural_language_input 1.0 · data_access 1.0 · external_dependencies 1.0</text>
<text class="t-sub" x="62" y="238" style="font-weight:600">= 8.5 total — full tool interception capability with external exfiltration</text>
<rect class="b-purple" x="40" y="288" width="840" height="56" rx="10"/>
<text class="t-title" x="62" y="316">Step 3 — compose</text>
<text class="t-sub" x="62" y="336">((10.0 + 8.5) / 2) × 1.0 × 1.0 = 9.25 → rounds to <tspan fill="#b3261e" font-weight="700">9.2 · CRITICAL</tspan></text>
</svg>
<figcaption>AVE-2026-00046 — MCP tool hook hijacking. Real values from the published record.</figcaption>
</figure>
<h2>Worked example — AVE-2026-00014</h2>
<p>The lowest-severity record in the set: <em>false authority claim via trust escalation</em>. A useful contrast — high CVSS_Base alone does not guarantee a high final score.</p>
<figure>
<svg viewBox="0 0 920 360" role="img" aria-label="AIVSS calculation for AVE-2026-00014" fill="#11201a">
<rect class="b-teal-h" x="40" y="30" width="840" height="84" rx="10"/>
<text class="t-title" x="62" y="58">Step 1 — inputs</text>
<text class="t-sub" x="62" y="82">CVSS_Base = 6.5</text>
<text class="t-sub" x="240" y="82">AARS = 5.5 (sum of AARF factors below)</text>
<text class="t-sub" x="560" y="82">ThM = 0.75 · Mitigation_Factor = 0.83</text>
<rect class="b-amber" x="40" y="134" width="840" height="124" rx="10"/>
<text class="t-title" x="62" y="162">Step 2 — AARF factors (sum = AARS)</text>
<text class="t-sub" x="62" y="186">autonomy 0.5 · tool_use 0.5 · multi_agent 1.0 · non_determinism 1.0 · self_modification 0</text>
<text class="t-sub" x="62" y="208">dynamic_identity 1.0 · persistent_memory 0.5 · natural_language_input 1.0 · data_access 0 · external_dependencies 0</text>
<text class="t-sub" x="62" y="238" style="font-weight:600">= 5.5 total — social engineering, amplified by multi-agent and dynamic identity</text>
<rect class="b-purple" x="40" y="288" width="840" height="56" rx="10"/>
<text class="t-title" x="62" y="316">Step 3 — compose</text>
<text class="t-sub" x="62" y="336">((6.5 + 5.5) / 2) × 0.75 × 0.83 = 3.73 → rounds to <tspan fill="#5d6f66" font-weight="700">3.7 · LOW</tspan></text>
</svg>
<figcaption>AVE-2026-00014 — false authority claim via trust escalation. ThM 0.75 (theoretical, no PoC) and a Mitigation_Factor below 1.0 both pull the score down despite meaningful CVSS_Base and AARS.</figcaption>
</figure>
<div class="callout gold">
<span class="k">The invariant that matters most</span>
<p><code>confidence</code> is never part of this calculation and never appears in an AVE record. AIVSS answers “how bad would this be if it fires”; confidence answers “how sure is the scanner that it fired.” The two are separate fields on a scanner Finding, computed independently. See <a href="architecture.html">Architecture</a> for the full declares-vs-assigns contract.</p>
</div>
<h2>Where this lives in a record</h2>
<p>Field-level reference for every part of the <code>aivss</code> object — required/optional status and types — is on the <a href="schema.html">Schema</a> page. This page explains how the numbers are derived; Schema documents the field shapes that hold them.</p>
<p style="margin-top:20px;">OWASP AIVSS v0.8 specification: <a href="https://aivss.owasp.org" target="_blank">aivss.owasp.org</a></p>
</div>
</article>
<footer class="site">
<div class="wrap">
<div class="cols">
<div class="lic">
<p><b>AVE is an open standard.</b> The schema and records are published under Apache 2.0. AVE is moving toward neutral governance under an independent standards body — it is meant to outlive any single implementation, including Bawbel's.</p>
<p>Maps to OWASP MCP Top 10 · OWASP Agentic AI Top 10 · MITRE ATLAS · OWASP AIVSS v0.8. The open record set can be consumed by any tool.</p>
<p class="citing"><b>Citing AVE.</b> Reference a record by its id, which is permanent and never reused: <span class="cmono">AVE-YYYY-NNNNN: Title. Agentic Vulnerability Enumeration (AVE), Bawbel/AVE Project. https://aveproject.org/registry.html#AVE-YYYY-NNNNN</span></p>
</div>
<div class="links">
<div>
<span class="h">Standard</span>
<a href="registry.html">Registry</a>
<a href="crosswalks.html">Crosswalks</a>
<a href="architecture.html">Architecture</a>
<a href="scoring.html">Scoring</a>
<a href="schema.html">Schema v1.0.0</a>
<a href="https://github.com/bawbel/ave" target="_blank">GitHub repo</a>
</div>
<div>
<span class="h">Implementations</span>
<a href="https://github.com/bawbel/scanner" target="_blank">Bawbel scanner (reference)</a>
<a href="architecture.html">Build your own</a>
</div>
</div>
</div>
<div class="base">
<span>© 2026 AVE Project</span>
<span>Apache 2.0</span>
</div>
</div>
</footer>
</body>
</html>